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.INFRASTRUCTURE  LOG 

_DAY  25:  Our  ad  hoc  security  solutions  are  out  of  control. 
We’re  not  prepared  for  new  threats.  We’re  always  playing 
catch-up.  We’re  leaving  ourselves  vulnerable  and  exposed. 

.Gil’s  had  a  security  epiphany:  high-powered  lasers. 
They’re  everywhere.  I  keep  zapping  myself  as  I  type. 

.DAY  26:  I’m  taking  back  control  with  an  end-to-end  security 
solution  from  IBM.  Their  security  service  experts  can 
come  in  and  help  us  assess  our  security  needs.  IBM  Tivoli® 
helps  us  monitor  and  respond  to  threats  while  managing 
access  to  our  critical  information.  And  the  IBM  System  z™ 
mainframe’s  encryption  and  multilevel  security  features 
are  legendary. 

.That’s  great.  But  it  won’t  bring  back  my  left  sideburn. 


IBM.COM/TAKEBACKCONTROL/SECURITY 


cover  story  The  Rise  of  Antiforensics 

COMPUTER  FORENSICS  New,  easy  to  use  antiforensic  tools  make  all 
data  suspect,  threatening  to  render  computer  investigations  cost- 
prohibitive  and  legally  irrelevant.  By  Scott  Berinato 

Vulnerability  Assessment’s  Big  Picture 

VULNERABILITY  ASSESSMENT  Los  Alamos  National  Laboratory’s 
Roger  Johnston  talks  about  how  aliens,  Elvis  impersonators  and 
obstinate  employees  can  help  you  find  and  fix  security  problems. 
By  Sarah  D.  Scalet 

38  How  to  Plan  an  Investigation 

BOOK  EXCERPT  A  primer  to  help  nonsecurity  personnel  conduct 
effective  investigations.  By  John  Thompson 
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MULTIPLY  MOBILE  SECURITY 
AND  MAXIMIZE  CONFIDENCE. 


W  INTEL®  CENTRINO®  PRO  PROCESSOR  TECHNOLOGY. 

to  notebooks  remotely!  even  if  they're  powered  off*  Automatically  isolate  an 
it  infects  other  devices,  with  64-bit  capable  Intel  Centrino  Pro  processor  technology, 
Core™2  Duo  processor,  you  multiply  your  power  to  manage  your  systems. 
Learn  more  about  why  great  business  computing  starts  with  Intel  inside.  Visit  intel.com/centrinopro 
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Expert:  U.S.  Critical  Infrastructure  in  Jeopardy 

Aaron  Turner  of  Idaho  National  Labs  says  our  electrical  service, 
transportation  systems,  refineries  and  drinking  water  are  all  vulnerable  to 
very  simple  cyberattacks. 

\vww2.csoonline. com/exclusives/column. html?CID=32893 

BLOGS  AMD  MORE  BLOGS 

In  The  Brave  New  World  of  Infosec  blog,  CISO  Jeff  Bardin  tackles  topics 
ranging  from  connectivity  to  bloated,  unworkable  network  tools.  Check 
out  all  our  blogs  at  blogs.csoonline.com. 


Cell  Phones  for  Authentication? 

As  banks  ramp  up  on  two-factor  authentication  efforts  to  meet  the 
requirements  of  the  Federal  Financial  Institutions  Examination  Council, 
is  the  answer  to  security  woes  just  a  text  message  away? 

www.csoonline.com/caveat/042407.html 
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“No  official 
announcement 
is  forthcoming, 

but  the  Internet 
is  broken  and 

it  can’t  be 
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»  Securing  dynamic  networks  can  be  a  nightmare,  squared.  But  Juniper  Networks  protects 
your  resources  and  applications  and  improves  productivity  by  securing  and  controlling 
access  to  your  network. 

As  the  recognized  SSL  VPN  market  share  leader,  we  know  remote  access  and  how  to 
secure  it.  And  now  with  Juniper’s  innovative  Unified  Access  Control  solution,  we  deliver 
visibility  into  your  users’  identities,  locations,  endpoint  security  —  everything  —  regard¬ 
less  of  where  —  local  or  remote  —  how,  or  even  which  users  attempt  to  access  your 
network.  So  enforce  policy  as  lenient  or  strict  as  you  choose,  control  traffic,  identify  and 
contain  noncompliant  users,  and  eliminate  and  mitigate  malware  and  other  threats.  In 
short,  be  confident  in  controlling  and  securing  access  across  your  entire  network.  Only 
Juniper  makes  any  network  more  secure:  www.juniper.net/controllingaccess 


I 

Margins  of  Defeat 


You’re  businesspeople,  right?  Good.  Then  lets  talk  about  a 
business  guru,  innovation  and  profit  margins  for  a  moment. 


Clayton  Christensen  is  the  business  guru.  He’s  a  Harvard  prof  and  well- 
regarded  author.  His  name  is  one  that  might  hold  some  influence  over 
your  CEO. 

The  Internet  is  the  innovation.  Or  at  any  rate,  it’s  the  fertile  ground  from 
which  innovations  are  growing  like  kudzu.  Technology  innovations,  process 
innovations,  lots  of  new  stuff. 

Now  one  of  the  things  Christensen  has  said  about  innovations  is  this: 

The  disruptive  ones  initially  lower  your  margins.  That’s  right.  A  transforma¬ 
tive  new  idea  that  changes  markets,  processes  and  workflows  doesn’t  usually 
pay  off  instantly  for  the  innovator.  It  requires  some  investment  in  order  to 
grow  into  what  it  will  become. 

Read  Senior  Editor  Scott  Berinato’s  article  on  antiforensics  starting  on 
Page  24  and  you’ll  see  innovation  at  work,  but  you  may  not  like  the  results. 
Investigators  and  researchers  alike  say  hackers  are  forging  new  and  more 
easily  used  technologies  at  a  breakneck  pace,  effectively  covering  their 
digital  tracks  as  they  carry  out  whatever  scam  they  please.  As  we’ve  noted  in 
other  recent  cover  articles,  Web  application  security  is  in  a  similar  state— the 
good  guys  are  working  hard,  but  widespread  adoption  of  their  work  is  far, 
far  behind  the  pace  at  which  bad  guys  are  implementing  their  own  creative 
ideas.  And  social  networking  sites  like  MySpace  are  scrambling  to  catch  up 
to  miscreants  playing  in  these  new  sandboxes. 

I’ve  never  been  a  fan  of  the  CSO-to-Board  whine  “We  can’t  quantify  secu¬ 
rity  but  you  aren’t  spending  enough  money.”  That’s  why  we  incessantly  write 
about  metrics,  return  on  investment  and  so  forth.  And  yet  when  I  consider 
the  disruptive  nature  of  the  Internet,  I  have  to  conclude  that  CEOs  are  pick¬ 
ing  precisely  the  wrong  moment  in  history  to  cheap  out  on  cybersecurity  in 


the  name  of  margins.  Consciously  or  not,  CEOs  have 
ignored  the  inherent  risks  of  the  platform  in  favor  of 
what  looked  like  easy  money.  Now,  as  Berinato’s  story 
points  out,  and  as  news  stories  every  day  confirm, 
those  risks  are  boomeranging  back  at  all  of  us. 

So  on  April  26  of  this  year,  when  a  group  of 
cybersecurity  experts  testified  before  Congress  and 
said  that  the  United  States’  critical  infrastructure 
is  vulnerable  to  a  potential  “strategically  crippling 
cyberattack,”  my  knee-jerk  response  was  “Well,  duh.” 
There’s  little  you  do  online  that’s  safe.  Everything 
attached  to  the  Internet  is  vulnerable.  All  those 
enticing  profits  and  efficiencies  from  Internet  com¬ 
merce  are  daily  being  erased  by  identity  theft,  phish¬ 
ing,  spam  and  badware  in  general.  And  the  margins 
won’t  return  until  we  get  into  a  deeper  investment 
mode  and  stabilize  this  platform. 

Let  me  quote  Christensen,  from  a  2004  Gartner 
interview:  “The  evidence  really  is  strong  that  when 
a  corporation  needs  that  new  business  to  get  very 
big,  very  fast,  they  won’t  allow  it  to  take  that  time 
on  the  runway— the  time  to  make  sure  it’s  headed  in 
the  right  direction.  They  just  force  it  to  take  off  very 
quickly  and  almost  always,  it  fails.” 

Precisely  what  we’re  doing  with  the  Internet.  This 
is  a  time  of  disruptive  innovation  and  some  invest¬ 
ment  in  security  groundwork  is  sorely  needed.  CEOs, 
let  me  give  it  to  you  straight:  You  aren’t  spending 
enough  money. 

Derek  Slater,  dslater@cxo.com 


6  www.csoonline.com  June  2007 


PHOTO  BY  WEBB  CHAPPELL 


Symantec/Altiris  IBM/Tivoli 
-  U/  Supercharger 


US  PATENT 


6,256,664 

Protect  The  Universe  Send  advisories;  det  relev. 


Send  Tivoli  into 
Warp  Drive 


SOFTWARE 

GRAVEYARD 


6,604,130  6,801,929 

Inspectors  &  Advisory  Computed-relevance 


New  Zealand 
PATENT 

510258 

The  Basic  Idea 


Australia  PATENT 


762054 

The  Basic  Idea 


W  Success  isn’t  a  game.  At 
stake  is  survival.  BigFix  lands  with 
the  only  massively  scalable 
consolidated  IT  platform.  Which 
means  instant, 

single-console  protection 

of  all  your 
PC,  Mac, 
and  Unix 
systems. 
Nobody  else 
can  do  this. 
Everybody  else  is 
trying. 


Patent  Pending 


Patent  Pending 


Canada 


Patent  Pending 


Patent  Pending 


Patent  Pending 


Patent  Pending 


Patent  Pending 


Patent  Pending 


McAfee/Citadel 
Ignores  40%  of 
the  Computers 

3V 


We’re  playing 
monopoly  for  real. 
Tell  your  leader  to 
schedule  an  ever- 
so-polite  free* 
demonstration 
showing  how  we 
empower  you  at 


Microsoft/SMS 

Supercharger 

Send  SMS  into 
Warp  Drive 


Patent  Pendii 


Configuration 


US  PATENT 

[Without  this,  you  could 
wait  days  or  weeks  for 
verification] 

6,356,936 

Instant  Advisories 


Patent  Pending 


Policy 

Enforcement 


Never  before  have  so  few  done  so  much,  so  fast,  for  so  many. 


McAfee  EPO  really 
isn’t  Single 
Console  ^ 


US  PATENT 
[Without  this,  security 
products  tend  to  have 
terrible  security] 

6,879,979 

Secure  Network  Inspection 


McAfee/Hercules 
Delay  of  Game 


Patent  Infringement 


US  PATENT 
[Without  this,  security 
products  tend  to  have 
terrible  security] 

6,931,434 

Secure  Remote  Inspection 


THEBE’S  A  REASON 
BIGFIX  HAS  TAKEN  OVER 
THE  PLANET!  - 


6,263,362 

Inspectors 


You’re  Expdsed 


Terrorists  Win 
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’Obviously,  we  don't  have  unlimited  bandwidth  to  do  these  tree  assessments.  We’re  looking  for  enterprises  Willi  tens  of  thousands  of  PC/Mac/Linux/Unix  systems.  Our  prices  are  so  low  that  we  can't  spend  a  lot  of  time  selling  smaller  deployments 
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More  on  DNS  (In)Security 

IN  ERIK  Sherman’s  article  “DNS:  Defi¬ 
nitely  Not  Safe?”  [February]  I  agree  with 
him  that  DNS-related  security  issues  are 
important  and  often  neglected,  but  I’m 
not  sure  that  a  CISO  reading  that  article 
will  come  away  with  a  clear  short  list  of 
things  to  check  (and  potentially  fix).  Let 
me  just  offer  four  brief  suggestions: 

1.  Do  a  quick  free  sanity  check  on  your 
DNS  using  http://dnsreport.com— that 
website  will  report  on  over  50  potential 
DNS  configuration  and  security  issues.  If 
you  do  nothing  else,  at  least  do  that  one 
check  and  have  a  discussion  with  your 
DNS  administrator  about  anything  that’s 
flagged. 

2.  DNS  amplification  attacks  are 
a  huge  issue,  and  efforts  to  get  those 
attacks  under  control  begin  with  end 
sites  and  their  ISPs  filtering  spoofed 
traffic  sources  as  described  in  BCP38 
(RFC2827). 

3.  Open  recursive  DNS  servers  do 
need  to  be  secured,  which  typically 
means  at  least  decoupling  authoritative 
DNS  servers  from  recursive  DNS  servers 
and  limiting  access  to  the  recursive  DNS 
server  to  just  the  provider’s  customer. 

4.  Make  sure  the  DNS  software  you’re 
running  is  up  to  date. 

These  are  all  very  basic  steps,  but 
they’re  all  incredibly  important  ones. 

Sherman  also  touched  on  DNSSEC, 
but  regrettably  his  summary  contained  a 
number  of  factual  errors.  For  example: 

1.  It  is  not  necessary  for  “everyone 


above  you  in  the  DNS  tree” 
to  be  signed  in  order  for 
DNSSEC  to  be  possible— 
if  that  were  true,  DNSSEC 
couldn’t  exist  anywhere 
since  the  root  (“.”)  domain 
itself  still  hasn’t  been 
signed.  The  existence 
of  a  signed  .se  zone  is 
proof  by  example  that  the 
root  does  not  need  to  be 
signed  before  any  TLD 

can  be  signed. 

Without  a  signed  root  it  is  true 
that  key  management  becomes  far  less 
tractable,  but  sites  can  diligently  acquire 
keys  to  authenticate  isolated  islands  of 
trust,  or  sites  could  try  Domain  Look¬ 
aside  Validation  (DLV)  as  an  alternative 
transitional  approach. 

2.  Public-key  cryptography  does  not, 
per  se,  always  require  involvement  of  a 
certificate  authority  (CA).  For  example, 
PGP/GPG  is  a  well-known  example  of 
a  public-key  cryptography  product  that 
relies  on  a  web-of-trust  model  instead  of 
relying  on  a  centralized  top-down  trust 
model  rooted  at  a  CA. 

I  am  also  somewhat  concerned  that 
this  article  doesn’t  really  highlight  the 
growing  connection  between  malware 
tampering  with  DNS  and  providers  react¬ 
ing  by  blocking  or  hooking  DNS  traffic. 

For  example,  as  more  and  more  users  get 
infected  by  malware,  which  results  in  their 
being  redirected  to  untrustworthy  DNS 
servers,  there  is  increasing  interest  (at 
least  among  some  providers)  in  block¬ 
ing  or  redirecting  any  user  DNS  traffic 
that  isn’t  intended  for  the  local  service 
provider’s  DNS  servers.  But  of  course  that 
sort  of  approach  represents  yet  another 
erosion  of  end-to-end  transparency. 

Disclaimer:  All  opinions  are  my  own. 

JOE  ST  SAUVER 

Manager,  Security  Programs, 

Internet2 

Information  Services,  University  of 

Oregon 
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ABOUT  IDG  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research,  con¬ 
ferences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
Offering  the  widest  range  of  media  options,  IDG 
reaches  more  than  120  million  technology  buyers 
in  85  countries  representing  95  percent  of  world¬ 
wide  IT  spending.  IDG  publishes  more  than  300 
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World.  PC  World  and  CIO  global  product  lines.  IDG 
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Copper  Theft  Abounds 

THANK  YOU  for  giving  much  needed 
exposure  to  a  growing  epidemic  [“Red 
Gold  Rush,”  February].  Our  investigative 
staff,  at  times,  is  overwhelmed  by  the 
sheer  volume  of  incidents  the  “red  gold 
rush”  has  generated  across  our  service 
territories.  This  was  a  very  well-written 
piece.  Keep  up  the  good  work. 

LUIS  H.  MORALES 

Manager,  Security  and  Systems 

Technology 

Duke  Energy 

Correction  The  photo  ofTheo  Lane  in 
“Red  Gold  Rush”  was  incorrectly  credited.  It 
was  taken  by  Roger  Ball. 

We  want  to  hear  from  you 

TO  RESPOND  to  articles  you’ve  read 
in  CSO,  write  to  us  at  csoletters@cxo.com. 
We  welcome  your  criticism,  thoughts  and 
suggestions. 
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We’ve  got  your  back. 

BTs  got  ours. 

You’ve  bought  the  firewalls,  the  security  appliances, 
filters,  servers  and  software.  But  technology  alone 
doesn’t  stop  attacks.  Vigilance  does. 

Counterpane  has  always  helped  enterprises  monitor 
and  manage  their  assets,  detect  attacks  and  respond 
quickly  -  before  the  IT  hits  the  fan. 

Now  we’re  even  stronger,  as  part  of  BT,  the  global 
powerhouse  in  networked  IT  services. 

BT  Counterpane  takes  the  burden  of  vigilance  from 
the  shoulders  of  your  security  staff  so  they  can  focus 
on  your  business.  No  one  sees  more  kinds  of  attack. 

No  one  understands  security  better.  No  one  does 
what  we  do,  the  way  we  do  it.  Who’s  got  your  back? 
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SIX  SIGMA  What  gets  mea¬ 
sured  gets  done.  And  when  you 
analyze  what  you’re  doing  in  a 
quantitative  way,  you  identify 
opportunities  you  didn’t  know 
you  had. 

That  may  be  a  simplistic 
way  of  defining  Six  Sigma  and 
other  methodologies  designed 
to  improve  business  processes. 
But  as  Francis  X.  Taylor,  CSO 
of  General  Electric,  empha¬ 
sized  to  an  audience  of  security 
executives  at  the  CSO  Perspec¬ 
tives  conference  in  March,  you 
don’t  need  to  be  a  Six  Sigma 
Black  Belt  to  use  its  principles 
and  benefit  from  the  results. 

“What  makes  a  great 
security  leader  is  the  ability  to 
develop  insightful  strategies 
that  support  the  company’s 
goals,”  Taylor  said.  “Most  of 
you  have  professional  skills, 
market  knowledge,  you  are 
results-oriented.  [You  need 
to]  combine  that  with  process 
thinking”  and  use  data  to  drive 
decisions  from  an  outside-in 
perspective,  he  added. 

A  methodology  like  Six 
Sigma  “requires  a  change  in 
how  you  think  about  your 
organization  and  how  it  works,” 
Taylor  said.  It  requires  shift¬ 
ing  loyalties  from  how  your 
organization  operates  to  how 
those  operations  affect  custom- 
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The  Process  Payoff* 


GE  CSO  Francis  Taylor  drives  security  changes 
with  Six  Sigma 


Three  Examples  of  Process  Gains 

POLICY  VIOLATIONS.  When  General  Electric  CSO  Francis  X.  Taylor  worked 
at  the  State  Department,  Congress  demanded  reports  on  employees’ 
security  violations.  The  department  initially  included  those  reports 
in  employees’  HR  files.  But  the  department  needed  to  reduce  security 
violations,  not  punish  employees,  Taylor  said.  He  ordered  an  analysis, 
which  found  that  80  percent  of  violations  involved  inattention  to  detail  or 
ignorance  of  department  security  policies.  Making  employees  aware  drove 
violations  down  by  55  percent  in  one  quarter,  he  said. 

BACKGROUND  CHECKS.  Checks  at  the  State  Department  took,  on  average, 
more  than  a  year  during  a  time  that  then-Secretary  Colin  Powell  wanted 
to  hire  more  foreign  service  officers.  Taylor  said  an  analysis  of  the  process 
found  that  too  many  “clean”  files  that  could  be  handled  quickly  were 
languishing  as  the  process  focused  on  tougher  cases.  He  shifted  that 
emphasis  over  time,  and  granted  interim  clearances  to  interns.  These  and 
other  process  improvements  drove  the  average  clearance  down  to  77  days. 

SECURITY  ALARMS.  When  Taylor  joined  GE  in  March  2005,  his  inquiries 
into  security  processes  led  to  streamlining  how  the  company’s  facility 
managers  respond  to  security  alarms  by  eliminating  alarms  that  didn’t 
require  action.  This  freed  up  resources  to  make  the  organization  more 
effective,  he  said.  At  GE,  Taylor  said:  “My  job  is  to  bring  value  to  how  [CEO 
Jeffrey  Immelt]  does  his  job,”  an  effort  that  enables  growth. 


Taylor  said  that  process  changes 
often  run  into  resistance  from 
employees  who  feel  threatened 
by  changes  to  processes  they 
own.  It’s  important  to  make 
process  owners  part  of  the 
effort  to  reexamine  how  a  pro¬ 
cess  works  and  to  identify  ways 
to  improve  it.  Taylor  recounted 
the  efforts  of  employees  at  a 
locomotive  engine  plant  in  Erie, 
Pa.,  who  looked  at  their  manu¬ 
facturing  processes  and  moved 
from  what  he  called  working  in 
an  iterative  fashion  to  a  more 
combined  process,  where  some 
prework  was  done  with  parts 
earlier  than  in  past  processes. 
The  result  has  been  cutting  the 
time  to  make  an  engine  from 
58  days  to  29  days. 

For  more  on  applying  pro¬ 
cess  principles  to  security,  see 
“Ideas  You  Can  Steal  from  Six 
Sigma”  at  www.csoonline.com/ 
read/120106/fea_sir_sigma 
.html.  -Michael  Goldberg 


ers— the  people  and  organiza¬ 
tions  who  determine  the  value 
of  what  you  produce.  Perform¬ 
ing  well  in  this  task  adds  value 
to  your  organization,  can  help 
security  executives  anticipate 
risks  and  identify  resources  to 
mitigate  them,  and  it  enables 
your  leadership  to  pursue  new 
opportunities  for  growth,  he 
added. 

To  show  what  he  meant, 
Taylor  shared  anecdotes  from 
his  career,  which  has  included 
stints  as  assistant  secretary  of 
state  for  diplomatic  security 


and  U.S.  ambassador-at-large 
for  counterterrorism  for  the 
State  Department  under  Colin 
Powell.  (See  “Three  Examples 
of  Process  Gains,”  this  page.) 
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Briefing 


A  Global  View  on  a  Global  Brew 


Starbucks  team  looks  to  reduce  risk  through  training,  surveillance  and  supply  chain 
programs— and  to  keep  up  with  rapid  growth 


RISK  MANAGEMENT  When  he  describes 
the  security  function’s  goals  at  Starbucks 
Coffee,  Francis  D’Addario  shares  a  13-syllable 
mantra:  Protect  people.  Secure  assets.  Enable 
mission. 

Those  six  words  inform  everything  the  Star- 
bucks  security  team  does,  from  keeping  coffee 
buyers  safe  on  hot  zone  trips  to  Indonesia  and 
Ethiopia,  to  helping  coffee  baristas  understand 
what  to  do  if  there’s  an  attempted  robbery,  to 
monitoring  coffee  shipments  from  farm  to 
roasting  plant  to  corner  store. 

D’Addario,  vice  president  at  Starbucks, 
along  with  members  of  the  security  team— Eliz¬ 
abeth  King,  vice  president,  information  man¬ 
agement  services;  Sean  Dettloff,  manager  of 
partner  and  asset  protection;  and  Rick  Gipson, 
director  of  U.S.  partner  and  asset  protection— gave  an  overview 
of  the  company’s  asset  protection  strategies  to  about  200 
attendees  at  the  recent  CSO  Perspectives  conference.  Among 
the  points  the  Starbucks  team  made: 

■  Their  challenges  increase  because  the  $7.8  billion  company 
with  13,000  stores  in  40  countries  is  growing  so  fast— about  20 
percent  annually,  opening  up,  on  average,  six  new  retail  outlets 
daily.  D’Addario  said  Starbucks  security  focuses  on  three  main 


become  like  profit  per  share 
or  EBITDA.  They  never 


change  no  matter  who  the  CFO 
is....  I’ve  gone  from  wanting 
senior  management  buy-in  to 
wanting  senior  management 
ownership.  They  own  the 
metrics;  we  just  host  them.” 

-BRUCE  LARSON,  CSO,  AMERICAN  WATER 

FOR  MORE  ON  LARSON’S  VALUE  PROTECTION 
METRIC,  SEE  “VALUE  MADE  VISIBLE”  AT 
WWW.CSOONLINE.COM/040106. 


tasks:  identifying  risk  and  investing  in  risk  mitigation  measures 
that  show  return  on  investments;  authenticating  partners,  trusted 
agents  and  goods  providers;  and  building  a  global  view  of  opera¬ 
tions  that  reports  exceptions. 

■  The  security  team  has  built  what  it  calls  the  Enterprise 
Security  Platform,  a  central  security  facility  that  “converges 
enterprise  and  physical  security”  by  monitoring  critical  facilities 
such  as  roasting  plants,  container  loading  sites  and  retail  stores. 
The  center  also  watches  risk  management  conditions  for  travel¬ 
ers  and  facilities  around  the  globe. 

■  Container  security  is  a  key  part  of  supply  chain  manage¬ 
ment.  Starbucks  uses  video  monitoring  of  loading  facilities  to 
capture  images  of  loading  and  sealing  containers  with  “con¬ 
tainer  security  devices”— a  magnetic  device  that  tracks  the 
closing  of  the  container  doors,  its  opening,  and  temperature 
and  humidity  along  its  journey.  The  device  also  is  capable 

of  uploading  data  from  third-party  logistics  providers.  And 
it  detects  tampering.  (Starbucks  rejected  using  RFID  or  GPS 
devices  as  not  worth  the  cost,  Dettloff  said.) 

■  A  cross-functional  governance  council  sets  security  poli¬ 
cies  for  the  company.  Starbucks  has  built  an  electronic  policy 
library  to  help  employees  know  what  to  do  and  how  to  do  it. 

■  Security  provides  in-store  training  to  help  employees 
understand  how  to  handle  risky  situations,  from  customers  who 
turn  violent  to  criminal  activity.  Design  elements  also  provide 
for  lighting  and  clear  visibility  into  stores.  Future  enhancements 
call  for  furniture  designed  to  help  consumers  protect  their 
handbags  and  laptops,  Gipson  said. 

-Michael  Goldberg 
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our  definition  of  convergence.  It's  when  all  your  disparate 
physical  security  systems  work  together  as  one  across  multiple 
platforms  and  locations.  Your  common  business  processes 
between  physical  security  and  IT  are  managed  as  one.  Driven  by 
business  policies  that  you  write,  with  full  transparency  and  control 
from  a  single  web-based  dashboard.  Quantum  Secure  brings  it  all 
together  so  you  can  think  more  strategically  with  our  off-the-shelf 
solution,  SAFE. 

■  Creation  of  ONE  identity  across  disparate  access 
control  systems 

■  Policy-based  and  automated  new  hire,  termination  and 
change  management  for  physical  access 

■  Sustainable  operations  to  comply  with  internal  and 
government  regulations 

And  its  all  exclusively  from  Quantum  Secure. 


the  power  to  converge 


1.408.687.4587  •  quantumsecure.com  •  info@quantumsecure.com 


INCIDENTS 


Briefing 


Pentagon  Taps 
Contractors  for 
ID  Card  Help 


IDENTITY  MANAGEMENT  Having  issued  3.3 
million  physical  and  logical  access  cards  that  are  a  precursor 
to  those  mandated  under  Homeland  Security  Presidential 
Directive  12,  the  Defense  Department  last  year  began  turning 
its  attention  to  authenticating  private-sector  contractors  who 
require  access  to  DoD  facilities  and  IT  resources. 

The  goal  was  to  create  a  federated  identity  system  over  a 
secure  network  that  would  allow  private-sector  contractors  to 
use  their  company’s  employee  badges  to  access  bases,  labs, 
plants  and  other  secure  facilities  around  the  world.  That  same 
system  also  would  have  to  meet  credentialing  requirements  for 
access  to  information  systems,  as  demanded  by  HSPD-12. 

What  resulted  was  the  completion  late  last  year  of  the  first 
leg  of  an  experimental,  third-party  intermediary  cross-creden- 
tialing  network  called  the  Federation  for  Identity  and  Cross-Cre- 
dentialing  Systems  (FiXs).  A  second  phase,  aimed  at  integrating 
this  network  for  access  systems,  should  be  completed  in  a  year, 
says  Mary  Dixon,  director  of  the  Defense  Manpower  Data  Center. 

The  effort  reflects  nearly  two  years'  work  defining  legal, 
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Threat  from  Within 


Hackers  are  not  the  biggest 
worry  when  it  comes  to  your 
company’s  records 

■  ATTRIBUTED  TO  HACKER 

■  ATTRIBUTED  TO  ORGANIZATION 
UNATTRIBUTED 


SOURCE:  “A  CASE  OF  MISTAKEN  IDENTITY?  NEWS 
ACCOUNTS  OF  HACKER.  CONSUMER,  AND  ORGANIZA¬ 
TIONAL  RESPONSIBILITY  FOR  COMPROMISED  DIGITAL 
RECORDS.  1980-2006”  BY  KRIS  ERICKSON  AND  PHILIP 
N.  HOWARD,  THE  JOURNAL  OF  COMPUTER-MEDIATED 
COMMUNICATION 
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auditing,  privacy,  operation  and  implementation  rules  with 
the  help  of  FiXs,  a  network  of  23  contractors,  financial  institu¬ 
tions,  authentication  vendors,  system  integrators,  and  other 
businesses  and  organizations.  This  network  represents  about 
600,000  FiXs  card-carrying  workers,  whose  credentials  can 
interoperate  in  a  secure,  ATM-style  network.  The  network  also 
accepts  3.3  million  defense  workers’  access  cards. 

Dixon  says  the  biggest  challenge  was  getting  the  Pentagon 
to  accept  third-party  credentials  that  were  not  managed  and 
revoked  by  the  Defense  Department  directly  but  rather  by 
contractors.  “We  needed  assurances  that  the  employer  who’s 
responsible  for  the  credentials  will  have  properly  vetted  and 
entered  the  employee  into  the  system”  through  FiXs,  Dixon  says. 
Safeguards  also  included  nixing  credentials  for  fired  contrac¬ 
tors,  or  making  other  status  changes,  within  three  hours. 

Once  a  contract  worker  is  enrolled,  his  data  is  kept  within  his 
employer’s  database,  and  queries  against  those  credentials  are 
processed  through  the  FiXs  authentication  station— essentially 
a  smart  switch  sitting  in  front  of  the  database.  DoD  also  has  its 
own  trust  gateway  smart  switch  that  interfaces  with  the  FiXs 
gateway.  Basically,  all  this  amounts  to  a  Web-based  application 
that  reads  the  credential,  goes  through  a  trust  broker  to  reach 
the  appropriate  employer’s  database,  and  returns  a  photograph 
and  some  biographical  and  biometric  information  that  allows  the 
DoD  facility  to  confirm  that  the  credential  is  valid. 

Because  many  of  the  large  defense  contractors  helped 
create  the  FiXs  network,  many  of  their  employees  are  also  FiXs 
card  carriers,  offering  a  large  pool  of  contractors  and  civil¬ 
ian  workers  already  on  the  FiXs  network  for  DoD  agencies  to 
chose  from.  Some  examples  include  SRA  International,  which 
provided  the  mobile  authentication  hardware  and  software  for 
the  project;  EDS,  which  handled  enrollment  through  its  Assured 
Identity  program;  and  Northrop  Grumman,  which  handles  net¬ 
work  operations  management. 

Paul  Stamp,  senior  security  analyst  at  Forrester,  says  he 
expects  to  see  more  FiXs-style  networks  because  it  advances 
the  HSPD-12  policy  that  "attempts  to  address  some  of  the 
policy  issues  around  setting  up  a  common  set  of  processes  to 
validate  an  identity  prior  to  credentialing.” 

-Deb  Radcliff 
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Buf  you  can  operate  both  methods  from  a  single  platform. 

Flexible  and  efficient,  Entrust  IdentityGuard  serves  as  a  versatile  authentication  platform 
that  provides  a  range  of  choices  —  machine  authentication,  grid  cards,  questions  and 
answers,  digital  certificates,  out-of-band  and  the  industry-first  $5  OTP  token.  Whether 
it's  versatile  authentication,  disk  encryption,  fraud  detection,  secure  messaging  or 
anything  in  between,  organizations  need  a  layered  security  expert  that  has  security  in 
its  DNA.  Visit  www.entrust.com  to  find  out  more. 


Entrust  is  a  registered  trademark  of  Entrust,  Inc.  in  the  United  States  and  certain  other  countries.  In  Canada,  Entrust  is  a  registered  trademark  of  Entrust  Limited.  All  other  Entrust  prod¬ 
uct  names  and  service  names  are  trademarks  or  registered  trademarks  of  Entrust.  Inc.  or  Entrust  Limited  in  certain  countries.  All  other  company  names,  product  names  and  logos  are  trade¬ 
marks  or  registered  trademarks  of  their  respective  owners.  ©Copyright  2007  Entrust.  All  rights  reserved. 


Briefing 


Questions 
After  Virginia 
Tech  Tragedy 

CRISIS  COMMUNICATIONS  Among  the 
many  questions  in  the  wake  of  the  Virginia  Tech 
tragedy  on  April  16,  in  which  a  student  gunman 
killed  32  people  and  then  himself,  were  several 
for  crisis  communications  managers,  such  as:  In 
the  midst  of  an  uncertain  and  dangerous  situa¬ 
tion,  how  do  you  assess  the  scope  of  the  risk?  And 
what  method  do  you  use  to  communicate  with 
people  potentially  at  risk? 

In  this  case,  there  were  two  shooting  inci¬ 
dents— one  that  killed  two  people  at  about  7:15 
a.m.  at  a  dormitory,  and  a  second,  more  deadly 


C\< 


It  V, 


A  police  officer  guards  the  perimeter  of  the  Virginia  Tech 
campus  in  Blacksburg,  Va.,  as  students  evacuate  after  a 
gunman  shot  dozens  of  people. 

outburst  at  an  engineering  building— separated 
by  about  two  hours.  Media  reports  have  indicated 
that  campus  police  were  given  information  about 
the  first  shooting  that  led  them  to  question  a  man 
not  involved  in  either  incident.  University  officials 
sent  out  a  campuswide  e-mail  at  9:15  a.m.  about 
the  first  incident  in  the  dormitory;  911  calls 
alerted  authorities  about  a  second  shooting  inci¬ 
dent  at  the  engineering  building  about  15  minutes 
later,  Computerworld  reported. 


Howto 
Communicate 
in  a  Crisis 


Edward  A.  Flynn,  the  former  Massachusetts  public  safety 

secretary,  spoke  to  CSO  in  2005,  shortly  after  he  handled  a 
media  frenzy  over  reports  that  the  FBI  was  seeking  six  foreign 
nationals  in  connection  with  a  suspected  plot  to  release  a  dirty 
bomb  in  Boston.  The  tip  to  authorities  later  turned  out  to  be  a  hoax.  But 
as  in  real-time  crisis  situations  facing  many  security  executives,  Flynn 
didn’t  know  that  at  first.  Flynn  shared  these  crisis  communication  tips, 
which  you  can  pass  along  to  executive  colleagues  and 
managers  at  your  organization.  W%2\ 

Share  accurate  information.  During  a  crisis,  Flynn 
says,  you  first  need  to  provide  information  to  your  * 

colleagues  and  employees  about  what’s  happening  so 
that  they  can  respond  appropriately.  This  is  a  big  deal  even  if  it’s  hard 
to  do,  with  conflicting  interests  at  play  among  government  agencies,  he 
adds.  “Understandably,  there’s  stress  between  the  federal  concerns  to 
protect  an  ongoing  investigation  and  the  state  government  who  needs  to 
convey  information  to  the  media.” 

Answer  questions.  After  an  organization  releases  infor¬ 
mation  about  an  incident,  Flynn  says,  expect  questions.  It’s 
important  to  respond  quickly  and  to  shape  answers  that  reflect 
the  tone  you  are  trying  to  achieve— in  this  case,  a  calming  pres¬ 
ence.  He  adds:  “If  I'm  answering  your  questions,  I've  found,  it 
gives  me  room  in  tone  and  content  to  convey  a  more  accurate, 
simple  statement  than  any  crafted  message  could  do.  And 
there's  always  the  old  adage  that  you  answer  the  question  you 
wish  you  were  asked.” 

Tell  the  truth.  Flynn  says  that  it’s  important  to  establish 
your  credibility  before  a  crisis.  Then,  when  an  incident  occurs, 
your  boss  and  peers  will  know  that  they  can  come  to  you 
for  accurate  and  reliable  information.  Also  be  aware  of  your 
superiors’  points  of  view.  "Their  concerns  are  not  only  security 
related.  They  have  a  constituency.  There  are  other  interests 
I  besides  yours  at  stake.” 

Be  prepared.  Flynn  says  you  need  a  communication  plan 
that  "requires  that  we  work  out  in  advance  how  we  will  communicate 
that  message— who  will  deliver  it  to  certain  constituencies.  If  we  have  an 
industry  that's  part  of  the  critical  infrastructure,  what  is  your  standard 
procedure  to  handle  information  when  it  comes  into  your  domain?  Into 
the  public  domain?  How  do  you  [speak]  to  your  employees?  These  dis¬ 
cussions  need  to  take  place  in  advance.” 

Gel  involved.  As  a  government  official,  Flynn  says  he  saw  the  impor¬ 
tance  of  public-  and  private-sector  information-sharing.  "CSOs  should  get 
involved  with  local  and  state  government,”  Flynn  says.  "Get  in  touch  with 
your  state's  emergency  management  agency.” 


SOURCE:  ADAPTED  FROM  "CRISIS  CALLING  ON  LINE  ONE."  WWW.CSOONLiNB.COM/READ/040W5/BRlEFING_INCIDENT 
.HTML. 
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THROW  THE 
FIRST  PUNCH. 

Successful  companies  don’t  flinch.  They  confidently  assert  their  presence  in 
the  marketplace  and  refuse  to  let  fear  paralyze  their  ambition.  From  consulting 
to  systems  integration  to  outsourcing,  Unisys  Solutions  for  Secure  Business 
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So  You  Want  to  Be 
a  Global  CSO? 

Advice  on  landing  a  gig  in  Europe  from  someone 
who's  been  there,  done  that  By  Paul  Raines 

VER  SINCE  I  moved  to  Europe,  I’ve  been  inundated  with 
inquiries  from  other  Americans  wondering  how  they  might  also 
find  a  job  here.  I  figured  I’d  save  time  and  money  on  the  phone 
calls  by  writing  a  column  on  the  topic.  (Yes,  I’m  that  lazy.) 

Many  Americans  think  that  Europe  is  an  employee’s  para¬ 
dise  just  because  the  work  hours  are  shorter,  there  is  more  job  security,  and 
employees  get  more  vacation  time.  Those  things  are  certainly  true,  but  before 
you  begin  your  job  hunt,  you  should  understand  what  you’re  up  against. 

First,  compensation  in  Europe  tends  to  be  lower  than  in  the  States. 
Even  though  American  ex-pats  get  the 
first  $80,000  of  their  salary  tax-free,  that 
doesn’t  really  make  up  for  the  difference. 

Also,  it  can  be  difficult  adjusting  to  the 
different  culture.  You’ll  probably  need  to 
be  proficient  in  the  language  of  the  coun¬ 
try  where  the  job  is  based,  and  even  then 
you’re  likely  to  experience  some  degree 
of  discrimination.  Finally,  most  countries 
require  that  the  employer  certify  that  there 
were  no  available,  qualified  workers  in  the 
host  country  to  do  the  job.  It  helps  that 
information  security  is  a  technical  field 
with  a  relative  shortage  of  qualified  people, 
but  it  might  be  more  difficult  to  make  this 
case  in  physical  security. 

Given  these  challenges,  what’s  the  best 
way  to  proceed?  In  my  experience,  the  best  ways  for  an  American  to  work  in 
Europe  are  either  to  work  for  a  global,  American-based  company  and  ask  to 
be  transferred  to  a  European  office,  or  to  work  for  an  international  agency 
based  in  Europe.  I’ve  done  both  and  know  the  advantages  and  drawbacks  of 
both  methods. 

If  you  work  for  an  American  company,  then,  by  definition,  that  company’s 
headquarters  will  be  located  in  the  United  States.  That  can  put  you  at  a  disad¬ 
vantage  when  coordinating  security  issues  with  senior  management.  The  time 
zone  difference  may  sometimes  mean  working  late  nights.  It’s  often  hard  to 
stay  in  the  loop,  and  you’ll  have  to  deal  with  the  “us  versus  them”  attitude  that 
tends  to  occur  between  a  central  management  office  (which  makes  policies) 
and  the  field  offices  (which  have  to  execute  those  policies). 

It’s  not  all  bad,  though.  You’ll  be  able  to  speak  with  some  knowledge  and 
authority  about  how  European  laws  or  local  conditions  must  be  taken  into 


account  when  making  security  policies.  You’ll  also  be 
more  conversant  about  the  European  market  and  atti¬ 
tudes.  If  you  manage  it  wisely,  you  can  gain  the  trust 
of  both  your  European  and  American  colleagues  on 
all  kinds  of  matters. 

Working  for  an  international  agency  is  another  pos¬ 
sibility.  These  agencies  typically  crave  American  work¬ 
ers  because  it  helps  them  demonstrate  that  they  are 
truly  international.  The  United  Nations  agency  where 
I  work,  for  example,  has  a  keen  interest  in  showing  that 
it  has  Americans  in  senior  management  positions. 

Either  way,  networking  for  an  international  job  is 
similar  to  networking  in  the  States.  Find  an  organi¬ 
zation  that  you  are  interested  in  working  for,  and  try 
to  find  out  if  you  know  anyone  who  has  a  connection 
there.  Looking  for  a  job  overseas  means  it  is  less  likely 
that  you  will  have  some  connection;  the  good  news  is 
that  international  organizations  are  less  apt  to  blow 
you  off  when  you  make  a  cold  call. 

If  you  call  an  international  organization  and  ask 
for  the  CSO,  the  chances  are  good  that  your  call  will 

be  forwarded  to  that  person, 
and  you  can  have  a  friendly 
and  professional  conversation 
about  employment  prospects  at 
the  organization.  At  this  stage, 
language  should  not  be  an  issue, 
because  English  is  the  working 
language  of  most  international 
organizations. 

Have  your  questions  pre¬ 
pared  ahead  of  time.  Ask  what 
openings  the  organization  can 
expect  to  have  over  the  next 
six  months.  If  the  organization 
doesn’t  have  anything  available, 
ask  if  your  contact  knows  of 
other  international  organiza¬ 
tions  you  might  call.  For  example,  in  The  Hague,  where 
I  work,  there  are  quite  a  number  of  other  international 
organizations,  and  we  meet  together  regularly  to  dis¬ 
cuss  security  issues.  If  I  don’t  have  an  opening,  I  might 
know  of  openings  in  sister  organizations,  or  at  least 
know  the  contacts  in  those  organizations.  Ask  for  sug¬ 
gestions,  and  follow  up.  You  can  use  Skype  or  a  similar 
VoIP  service  to  save  money  on  your  phone  bill. 

Above  all,  be  realistic  and  plan  carefully.  If  you  have 
good  work  experience  in  the  States  and  really  want  to 
work  here,  you  can  make  it  happen.  ■ 


Paul  Raines  is  CISO  of  a  nonprofit  group  in  The  Hague,  Netherlands. 
Send  feedback  to  Senior  Editor  Sarah  D.  Scalet  at  sscalet@cxo.com. 
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Spam,  a  Lot 

Conversations  with  leading  message  filtering 
companies  provide  insight  into  the  battle  for  e-mail 
security  By  Simson  Garfinkel 
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"  ERE  ARE  TWO  stunning  statistics  from  the  war  against 
spam.  First,  roughly  75  percent  of  Internet  mail  is  now 
spam— that  means  for  every  legitimate  e-mail  message 
received,  three  pieces  of  spam  are  also  received.  There’s  a  lot 
of  spam,  and  it’s  more  or  less  on  the  rise  (although  certain 
kinds  of  spam  are  becoming  more  or  less  popular). 

The  second  statistic  is  about  the  effectiveness  of  businesses  in  handling 
spam.  Apparently  employees  at  businesses  with  24  users  or  fewer  see  nearly 
600  spam  messages  a  month.  What’s  surprising  here  is  that  this  is  more  than 
five  times  the  spam  that’s  seen,  on  average,  by  employees  at  companies  with 
10,000  users  or  more. 

Both  of  these  statistics  come  from 
MessageLabs,  one  of  the  two  domi¬ 
nant  players  in  the  world  of  spam 
filtering  today.  Spammers  aren’t 
targeting  small  businesses,  Mes¬ 
sageLabs  wrote  in  the  March 
issue  of  its  Internet  Threat  Watch. 

Instead,  employees  at  small  com¬ 
panies  are  less  likely  to  have  effec¬ 
tive  spam  filtering  measures. 

This  might  seem  like  a  self-serv¬ 
ing  finding  from  MessageLabs, 
which  markets  its  service  primarily 
to  large  corporations.  But  the  con¬ 
clusion  is  more  or  less  in  line  with 
my  own  experience.  Spam  filtering 
is  not  something  that  you  can  set  up 
and  forget:  An  antispam  system  that 
works  well  today  will  slowly  lose  its 
potency  as  the  spammers  learn  how 

to  evade  the  filtering  techniques  that  v— ^ rnsvamawiamiM 

you’ve  implemented.  Large  organiza¬ 
tions  can  dedicate  the  time  and  money 

to  staying  current  with  their  antispam  technol-  ogy,  but  small  companies 
generally  can’t.  As  a  result,  the  level  of  spam  seen  by  employees  at  small  orga¬ 
nizations  slowly  creeps  up  after  each  new  system  is  deployed  until  the  amount 
of  spam  becomes  unbearable,  then  the  next  system  is  rolled  out. 

Recently  I  had  the  chance  to  speak  with  antispam  specialists  at  Mes¬ 
sageLabs  and  Postini  (the  other  dominant  player  in  the  world  of  antispam).  I 
asked  both  companies  what  they  thought  would  be  the  greatest  problems  fac¬ 
ing  spam-fighters  in  the  coming  year.  To  understand  the  answers,  it’s  impor- 


rp 


tant  to  understand  that  spam  has  a  lifecycle,  and  this 
lifecycle  highlights  many  of  the  world’s  persistent 
computer  security  problems. 

Bot  Economics 

MOST  OF  the  spam  that  reaches  your  mailbox  was 
sent  from  a  bot— an  ordinary  home  or  office  PC  that 
wouldn’t  be  notable  other  than  the  fact  that  it  has  a 
high-speed  Internet  connection  and  that  it’s  under  the 
control  of  a  malicious  third  party.  I’ve  seen  estimates 
that  there  are  between  1  million  and  100  million 
infected  computers  in  the  world  today.  I  have  no  idea 
how  these  estimates  are  made,  whether  they  are  reli¬ 
able,  and  what  they  actually  mean.  But  it’s  clear  that 
there  are  a  lot  of  machines  infected  with  bots,  and  that 
the  existence  of  these  machines  represents  a  failure  of 
today’s  antivirus  and  antispyware  approaches. 

Because  so  much  of  today’s  e-mail  stream  is  spam, 
every  message  that’s  received  has  to  be  filtered  before 
it  can  reach  your  inbox.  Today  the  best  filtering  sys¬ 
tems  perform  a  variety  of  tests,  including  content 
analysis  and  attribution— that  is,  they  try  to 
figure  out  who  the  real  sender  of 
the  e-mail  message  is,  as  well  as 
what  product  or  website  is  being 
promoted,  and  then  check  the 
blacklists  to  see  if  the  senders 
are  known  spammers.  Attribu¬ 
tion  is  also  important  in  fight¬ 
ing  other  forms  of  Internet 
crime. 

A  significant  amount  of 
spam  that  reaches  its  intended 
destination  contains  phishing 
attacks.  These  attacks  exploit 
a  variety  of  security  problems 
made  possible  by  the  Human/ 
Computer  Interface  (HCI).  As 
readers  of  this  column  know,  HCI 
security  is  an  important  research 
area  for  both  academia  and  industry. 
Closing  the  cycle,  those  involved 
in  this  underground  economy  also  need  to 
recruit  new  computers  to  their  botnets.  Some 
spammers  do  this  directly,  while  others  rely  on  so- 
called  bot-herder  specialists.  Typical  herding  tech¬ 
niques  include  sending  out  specially  written  infection 
programs  by  e-mail  and  spamming  with  the  URLs  of 
websites  that  are  designed  to  exploit  browser  bugs. 
These  techniques  work  because  some  people  are  still 
dumb  enough  to  click  on  programs  they  receive,  while 
other  people  are  browsing  the  Internet  with  unpatched 
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SSCP  from  (ISC)2.  Credentialing  the  world’s  most  qualified  Information  Security  workforce. 
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professionals,  in  over  1 00  countries  around  the  globe.  Equipped  with  an  SSCP  credential  from  (ISC)2,  your  information 
security  workforce  speaks  a  common  language.  Shares  common  platform  knowledge.  And  understands  how  best 
to  implement,  monitor  and  secure  your  information  security  organization.  Which  translates  into  a  more  secure 
business.  Speak  to  (ISC)2  today. 
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copies  of  Internet  Explorer  and  Firefox. 

Spammers  have  the  upper  hand  in 
this  cycle.  Because  herders  have  been  so 
successful  at  recruiting  bots,  spammers 
have  both  more  computational  power 
and  more  Internet  bandwidth  available  at 
their  disposal  than  even  the  largest  anti¬ 
spam  providers.  Spammers  get  instant 
feedback  when  their  spam  gets  through 
because  people  click  on  the  links.  Because 
they  are  part  of  the  underground  economy, 
spammers  generally  don’t  pay  taxes  on 
ill-gotten  gains.  Spammers  can  afford  to 
experiment,  because  when  their  experi¬ 
ments  fail,  the  worst  that  happens  is  that 
some  of  their  spam  doesn’t  get  sent.  One 
result  of  this  cycle  is  that  spammers  will 
continue  to  develop  more  effective  spam¬ 
ming  techniques  as  time  passes  because 
they  are  financially  rewarded  for  doing 
so— there  is  positive  market  feedback. 

As  a  result  of  this  positive  feedback, 
spammers  are  becoming  increasingly 
sophisticated.  “It’s  become  clear  to  anyone 
working  in  antispam  that  there  have  been 
a  lot  of  developments,”  says  Matt  Sergeant, 
MessageLabs’  senior  antispam  technolo¬ 
gist.  “Our  speculation  is  that  most  of  this 
is  coming  out  of  the  ex-Soviet  Russia  and 
the  Eastern  Block.  They  really  have  teams 
of  programmers  on  hand  now.  I  am  sure 
that  somewhere  there  is  a  bunch  of  pro¬ 
grammers,  quality  assurance  teams  [and 
other  employees],  all  set  up  for  creating 
this  stuff.  That  presents  a  real  challenge. 
They  are  thinking  about  this  stuff  on  a 
technical  level— exactly  how  they  can  get 
through  our  filters,  what  they  can  do  to 
stay  out  of  our  blacklists.” 

For  example,  one  of  the  most  difficult 
kinds  of  spam  facing  the  filtering  com¬ 
panies  today  is  “stock  spam”— spam  that 
promotes  a  stock  worth  only  a  few  pen¬ 
nies.  Several  studies  have  shown  that 
stocks  advertised  in  this  manner  gener¬ 
ally  jump  for  a  few  days  and,  as  a  result, 
the  spammers  can  make  thousands  to  tens 
of  thousands  of  dollars  for  each  batch  of 
messages  they  send  out.  But  stock  spam 
is  particularly  difficult  for  spam  filtering 
companies  because  there  is  no  consistent 
brand  name,  phone  number  or  website 


URL  to  be  blacklisted.  “All  you  have  is  a 
stock  ticker  symbol,”  says  Sergeant. 

Dodging  Blacklists 

ONE  WAY  that  spammers  are  avoid¬ 
ing  the  blacklists  is  by  being  much  more 
selective  in  the  way  they  send  out  spam. 
For  example,  says  Sergeant,  instead  of 
sending  a  million  messages  from  a  single 
machine,  spammers  might  instead  send 


a  thousand  messages  from  a  thousand 
machines.  This  is  especially  a  problem 
when  those  machines  are  also  sending 
legitimate  e-mail,  as  might  be  the  case 
when  the  infected  machines  are  sending 
spam  through  the  mail  servers  of  their 
respective  ISPs.  Right  now,  says  Sergeant, 
one  of  the  biggest  problems  for  his  compa¬ 
nies  is  the  large  number  of  relatively  small 
and  poorly  administered  Internet  service 
providers  doing  business  in  the  develop¬ 
ing  world. 

Another  big  problem  facing  antispam 
companies  is  that  individual  spam  mes¬ 
sages  are  undergoing  more  processing  by 
spammers  and,  as  a  result,  can  be  more 
different  from  each  other.  “The  arms  race 
is  chasing  how  these  guys  are  morphing 
the  context”  of  the  spam,  says  Scott  Petry, 
Postini’s  founder  and  CTO. 

The  arms  race  is  also  moving  into  new 
areas.  For  example,  both  MessageLabs  and 
Postini  have  antispam  systems  available 
for  instant  messaging  systems.  Recently 
the  folks  at  Postini  got  an  e-mail  about 
spam  on  a  public-access  Web  calendar: 
Somebody  had  added  a  repeating  event 
advertising  a  mortgage  broker. 

MessageLabs  and  Postini  operate  as 
service  bureaus.  Companies  that  sub¬ 
scribe  to  these  firms  set  up  their  name 
servers  so  that  incoming  e-mail  gets  sent 


directly  to  one  of  the  bureaus’  data  cen¬ 
ters,  where  the  mail  is  received,  filtered, 
optionally  archived  and  eventually  sent 
to  the  intended  destination  (or  not).  One 
of  the  big  advantages  of  this  model  is  that 
the  spam  that’s  filtered  out  never  reaches 
the  customer,  so  the  customer  doesn’t 
need  to  invest  in  servers,  hard  drives  and 
Internet  capacity  to  handle  the  spam.  But 
a  real  disadvantage  with  this  approach  is 


that  the  spam  kept  in  quarantine,  includ¬ 
ing  false  positives,  is  usually  deleted— typ¬ 
ically  after  30  days. 

False  Positives 

MY  BIGGEST  problem  with  today’s 
antispam  systems  is  the  amount  of  false 
positives  that  they  generate— mail  that  is 
not  spam  but  is  nevertheless  classified  as 
such.  Browsing  through  my  spam  folder, 
I  recently  found  invitations  to  review  a 
paper  for  a  conference  (followed  by  nasty 
e-mails  asking  why  I  had  not  sent  in  my 
review);  a  dozen  messages  from  a  web¬ 
site  for  which  I  had  lost  a  password  (I 
had  repeatedly  clicked  on  the  “password 
reset”  button);  e-mail  from  Sprint  that  my 
phone  bill  is  available  to  view. 

I  try  to  minimize  the  impact  of  mis- 
classified  e-mail  by  keeping  my  spam 
messages  forever.  Although  I  may  need 
to  reevaluate  this  policy  if  my  personal 
spam  levels  rise  to  90  percent,  right  now 
hard  drive  capacities  are  growing  faster 
than  spam  levels.  And  I’ve  had  too  many 
important  e-mail  messages  misidentified 
as  spam,  only  to  discover  them  weeks  or 
months  later.  ■ 


Simson  Garfinkel,  CISSP,  is  at  Harvard  University 
researching  computer  forensics  and  human  thought. 
Send  feedback  to  machineshop@cxo.com. 


Spammers  can  afford  to  experiment, 
because  when  their  experiments  fail,  the 
worst  that  happens  is  that  some  of  their 
spam  doesn’t  get  sent. 
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orensic  investigations 
start  at  the  end.  Think  of 
it:  You  wouldn’t  start  using 
science  and  technology  to 
establish  facts  (that’s  the 
dictionary  definition  of  forensics)  unless  you 
had  some  reason  to  establish  facts  in  the  first 
place.  But  by  that  time,  the  crime  has  already 
happened.  So  while  requisite,  forensics  is  ulti¬ 
mately  unrewarding. 

A  clear  illustration  of  this  fact  comes  from 
the  field  investigations  manager  for  a  major 
credit  services  company.  Sometime  last  year, 
he  noticed  a  clutch  of  fraudulent  purchases  on 
cards  that  all  traced  back  to  the  same  aquar¬ 
ium.  He  learned  quite  a  bit  through  forensics. 
He  learned,  for  example,  that  an  aquarium 
employee  had  downloaded  an  audio  fde 
while  eating  a  sandwich  on  her  lunch  break. 
He  learned  that  when  she  played  the  song,  a 
rootkit  hidden  inside  the  song  installed  itself 
on  her  computer.  That  rootkit  allowed  the 


hacker  who’d  planted  it  to  establish  a  secure 
tunnel  so  he  could  work  undetected  and  “get 
root”— administrator’s  access  to  the  aquarium 
network. 

Sounds  like  a  successful  investigation. 
But  the  investigator  was  underwhelmed  by 
the  results.  Why?  Because  he  hadn’t  caught 
the  perpetrator  and  he  knew  he  never  would. 
What’s  worse,  that  lunch  break  with  the  sand¬ 
wich  and  the  song  download  had  occurred 
some  time  before  he  got  there.  In  fact,  the 
hacker  had  captured  every  card  transaction 
at  the  aquarium  for  two  years. 

The  investigator  (who  could  only  speak 
anonymously)  wonders  aloud  what  other  net¬ 
works  are  right  now  being  controlled  by  crim¬ 
inal  enterprises  whose  presence  is  entirely 
concealed.  Computer  crime  has  shifted  from 
a  game  of  disruption  to  one  of  access.  The 
hacker’s  focus  has  shifted  too,  from  develop¬ 
ing  destructive  payloads  to  circumventing 
detection.  Now,  for  every  tool  forensic  investi¬ 
gators  have  come  to  rely 
on  to  discover  and 
prosecute  electronic 
crimes,  criminals 
have  a  corresponding 
tool  to  baffle  the  inves¬ 
tigation. 

This  is  antiforensics. 
It  is  more  than  technol¬ 
ogy.  It  is  an  approach  to 
criminal  hacking  that  can 
be  summed  up  like  this: 
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Make  it  hard  for  them  to  find  you  and  impossible  for  them  to 
prove  they  found  you. 

The  concept  is  neither  new  nor  foolproof,  but  in  the  past 
12  months,  forensic  investigators  have  noticed  a  significant 
uptick  in  the  use  of  antiforensics.  This  is  not  because  hackers 
are  making  more  sophisticated  antiforensic  tools,  though  some 
are.  Rather,  it’s  because  antiforensic  tools  have  slid  down  the 
technical  food  chain,  from  Unix  to  Windows,  from  something- 
only  elite  users  could  master  to  something  nontechnical  users 
can  operate.  What’s  more,  this  transition  is  taking  place  right 
when  (or  perhaps  because  of)  a  growing  number  of  criminals, 
technically  unsophisticated,  want  in  on  all  the  cash  moving 
around  online  and  they  need  antiforensics  to  protect  their  illicit 
enterprises.  “Five  years  ago,  you  could  count  on  one  hand  the 
number  of  people  who  could  do  a  lot  of  these  things,”  says  the 
investigator.  “Now  it’s  hobby  level.” 

Researcher  Bryan  Sartin  of  Cybertrust  says  antiforensic  tools 
have  gotten  so  easy  to  use  that  recently  he’s  noticed  the  hacks 
themselves  are  barely  disguised.  “I  can  pick  up  a  network  dia¬ 
gram  and  see  where  the  breach  occurred  in  a  second,”  says  Sar¬ 
tin.  “That’s  the  boring  part  of  my  job  now.  They’ll  use  FTP  and 
they  don’t  care  if  it  logs  the  transfer,  because  they  know  I  have 
no  idea  who  they  are  or  how  they  got  there.”  Veteran  forensic 
investigator  Paul  Henry,  who  works  for  a  vendor  called  Secure 
Computing,  says,  “We’ve  got  ourselves  in  a  bit  of  a  fix.  From  a 
purely  forensic  standpoint,  it’s  real  ugly  out  there.”  Vincent  Liu, 
partner  at  Stach  &  Liu,  has  developed  antiforensic  tools.  But  he 
stopped  because  “the  evidence  exists  that  we  can’t  rely  on  foren¬ 
sic  tools  anymore.  It  was  no  longer  necessary  to  drive  the  point 
home.  There  was  no  point  rubbing  salt  in  the  wound,”  he  says. 

The  investigator  in  the  aquarium  case  says,  “Antiforensics 
are  part  of  my  everyday  life  now.”  As  this  article  is  being  writ¬ 
ten,  details  of  the  TJX  breach— called  the  biggest  data  heist  in 
history,  with  more  than  45  million  credit  card  records  compro¬ 
mised— strongly  suggest  that  the  criminals  used  antiforensics  to 
maintain  undetected  access  to  the  systems  for  months  or  years 
and  capture  data  in  real  time.  In  fact,  the  TJX  case,  from  the 
sparse  details  made  public,  sounds  remarkably  like  the  aquar¬ 
ium  case  on  a  massive  scale.  Several  experts  said  it  would  be 
surprising  if  antiforensics  weren’t  used.  “Who  knows  how  many 
databases  containing  how  many  millions  of  identities  are  out 
there  being  compromised?”  asks  the  investigator.  “That  is  the 
unspoken  nightmare.” 

The  Obfuscator’s  Toolkit 

I F  YO  U  were  making  a  movie  about  a  computer  crime,  the  bad 
guys  would  use  antiforensics.  And  since  it’s  a  movie,  it  should 
be  exciting,  so  they’d  use  the  clever  and  illicit  antiforensic  tools, 
the  sexy  ones  with  little  or  no  legitimate  business  purpose.  Liu 
has  developed  such  tools  under  the  Metasploit  Framework,  a 


collection  of  software  designed  for  penetration  testing  and,  in 
the  case  of  the  antiforensic  tools,  to  expose  the  inherent  weak¬ 
nesses  in  forensics  in  hopes  that  the  forensics  industry  would 
view  it  as  a  call  to  action  to  improve  its  toolset. 

One  of  Liu’s  tools  is  Timestomp.  It  targets  the  core  of  many 
forensic  investigations— the  metadata  that  logs  file  information 
including  the  times  and  dates  of  file  creation,  modification  and 
access.  Forensic  investigators  poring  over  compromised  systems 
where  Timestomp  was  used  often  find  files  that  were  created 
10  years  from  now,  accessed  two  years  ago  and  never  modified. 
Transmogrify  is  similarly  wise  to  the  standard  procedures  of 
forensic  investigators.  It  allows  the  attacker  to  change  informa¬ 
tion  in  the  header  of  a  file,  a  space  normally  invisible  to  the  user. 
Typically,  if  you  changed  the  extension  of  a  file  from,  say,  .jpg  to 
.doc,  the  header  would  still  call  it  a  .jpg  file  and  header  analysis 
would  raise  a  red  flag  that  someone  had  messed  with  the  file. 
Transmogrify  alters  the  header  along  with  the  file  extension  so 
that  the  analysis  raises  no  red  flags.  The  forensic  tools  see  some¬ 
thing  that  always  was  and  remains  a  .doc  file. 

Slacker  would  probably  be  in  the  movie  too.  It  breaks  up  a 
file  and  stashes  the  pieces  in  the  slack  space  left  at  the  end  of 
files.  Imagine  you  stole  the  Dead  Sea  Scrolls,  ripped  them  into 
thousands  of  small  pieces,  and  then  tucked  those  pieces,  indi¬ 
vidually,  into  the  backs  of  books.  That’s  Slacker,  only  Slacker  is 
better  because  you  can  reassemble  the  data  and,  while  hidden, 
the  data  is  so  diffuse  that  it  looks  like  random  noise  to  forensic 
tools,  not  the  text  file  containing  thousands  of  credit  card  num¬ 
bers  that  it  actually  is. 

Another  tool,  Sam  Juicer,  retrieves  encrypted  passwords 
but  leaves  behind  no  evidence  it  was  ever  run,  allowing  you  to 
crack  the  passwords  later  offline.  KY  stuffs  data  into  null  direc¬ 
tory  entries,  which  will  still  look  null  to  the  outside  world.  Data 
Mule  infiltrates  hard  disk  drives’  normally  off-limits  reserved 
space.  Randomizers  auto-generate  random  file  names  to  evade 
signature-based  inspection.  There  are  tools  that  replace  Roman 
letters  with  identical-looking  Cyrillic  ones  to  avoid  suspicion 
and  inspection.  In  other  words,  you  need  explorer.exe  to  run 
your  computer,  but  you  don’t  need  explorer.exe,  which  looks  the 
same  but  actually  starts  with  a  Cyrillic  “e”  and  is  a  keylogger. 

If  you  want  to  go  full-out  cloak-and-dagger  in  your  movie, 
you’d  show  off  antiforensic  tools  that  have  gone  solid-state. 
Diskless  A-F  is  the  state  of  the  art;  it  avoids  logging  of  activity 
all  together.  “There’s  nothing  on  the  disk  that  can’t  be  messed 
with,”  says  Liu.  “So  the  arms  race  has  left  the  disk  and  is  mov¬ 
ing  into  memory.  Memory  is  volatile  storage.  It’s  a  lot  more 
difficult  to  understand  what’s  going  on  in  there.  Disk  layout  is 
documented;  you  know  where  to  look  for  stuff.  In  memory,  stuff 
moves  around;  you  can’t  track  it  down.” 

MosDef  is  one  example  of  diskless  antiforensics.  It  exe¬ 
cutes  code  in  memory.  Many  rootkits  now  load  into  memory; 
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THE  ANTIFORENSIC 
LANDSCAPE 


Antiforensic  tools  are  plotted  on  a  spectrum  of  legitimacy  as  a  software  tool  and  on  a 
spectrum  of  aggressiveness  as  a  malicious  technique.  The  size  of  the  words  reflects 
the  prevalence  of  use  of  each  technique,  with  larger  words  being  more  commonly  used 
techniques.  Words  in  RED  represent  tools  and  techniques  rapidly  gaining  popularity. 
Words  in  reflect  tools  and  techniques  where  popularity  could  be  waning. 
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some  use  the  large  stockpiles  of  memory  found  on  graphics 
cards.  Linux  servers  have  become  a  favorite  home  for  memory- 
resident  rootkits  because  they’re  so  reliable.  Rebooting  a  com¬ 
puter  resets  its  memory.  When  you  don’t  have  to  reboot,  you 
don’t  clear  the  memory  out,  so  whatever  is  there  stays  there, 
undetected.  “You’ve  got  128  megs  of  RAM  in  network  print¬ 
ers  that  are  never  shut  off!”  exclaims  Michael  Davis,  CEO  of 
incident  response  company  Savid  Technologies  and  a  veteran 
security  researcher  who  worked  on  the  Honeynet  Project.  “It’s 
an  old  technique,  but  a  common  one.” 

Perhaps  less  sexy— but  just  as  problematic  to  the  forensic 
investigator— are  antiforensic  tools  that  fall  into  a  gray  middle 
on  the  spectrum  of  legitimacy.  These  include  tools  like  packers, 
which  pack  executable  files  into  other  files.  In  the  aquarium  case, 
the  criminal  most  likely  used  a  packer  to  attach  his  rootkit  to 
the  audio  file.  Binders  bind  two  executables  into  one,  an  espe¬ 
cially  dangerous  tool  when  one  of  the  executables  is  legitimate. 
I  might  have  no  concern  clicking  on  firefox.exe,  for  example, 
but  it  could  very  well  be  bound  to  keylogger.exe.  Virtualization 
is  an  in  trend  in  IT  now,  because  it  allows  one  machine  to  run 
many  environments.  Hackers  simply  apply  the  principle  to  their 


jobs;  one  of  the  virtual  environments  borrowing  the  hardware 
becomes  theirs. 

Steganography— hiding  data  in  other  data— has  legitimate 
uses  for  the  privacy  conscious,  but  then  criminals  breaking  into 
systems  are  privacy  conscious  too.  A  great  way  to  transport  data 
you’re  not  supposed  to  have  is  to  hide  it  where  it  will  generate 
no  suspicion,  like  in  photos  of  executives  that  the  marketing 
department  keeps  on  the  network.  (Disagreement  reigns  over 
the  prevalence  of  steganography  as  an  antiforensic  technique 
in  practice;  no  one  disputes  its  capabilities  or  increasing  ease 
of  use,  though).  Disk  wiping  systems  are  valuable  for  refresh¬ 
ing  and  decommissioning  hard  disks  on  machines,  and  boost¬ 
ing  performance.  But  they  also  serve  the  criminal  who  needs  to 
erase  his  digital  tracks.  Some  data  wiping  programs  have  been 
tuned  to  thwart  the  specific  programs  that  criminals  know  are 
popular  with  forensic  investigators,  like  EnCase,  and  they  are 
marketed  that  way. 

The  most  prosaic  antiforensic  tools  are  also  the  most  com¬ 
mon.  Security  software  like  encryption  and  VPN  tunneling 
serve  as  foundations  of  the  criminal  hacker’s  work  once  he’s 
infiltrated  a  system.  “In  one  case,  we  found  a  large  retail  data- 
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base  that  was  compromised,”  says  Sartin.  “And  the  first  thing  the 
hackers  did  when  they  got  there  was  install  a  client  VPN,”  and 
at  that  point,  they  became  virtually  invisible.  Another  classic 
antiforensic  technique  is  to  partition  a  hard  drive  and  encrypt 
one  section  of  it,  then  partition  that  partition  and  encrypt  a 
subsection  of  that.  “Any  data  in  that  second  partition  I  can  deny 
ever  existed,”  says  Henry.  “Then  the  bad  guy  who  is  caught  gives 
up  the  password  or  key  for  the  first  partition,  which  typically 
contains  only  moderately  bad  stuff.  The  really  bad  stuff  is  in  the 
second  partition,  but  the  investigators  have  no  clue  it’s  there. 
Forensic  tools  wouldn’t  see  the  second  partition;  it  would  look 
like  random  trash.” 

These  techniques  are  not  sexy— they  might  not  make  it 
into  the  movie— but  in  some 
ways  they’re  actually  the  most 
problematic  antiforensic  tools, 
because  there  are  excellent 
reasons  to  continually  improve 
encryption,  secure  remote  access, 
disk  partitioning  and  virtual 
environments.  Better  encryp¬ 
tion  stands  to  protect  data  and 
privacy.  Secure  tunnels  make 
remote  business  over  the  Inter¬ 
net  feasible.  Virtualization  is  an 
efficiency  boon.  And  yet,  improv¬ 
ing  these  products  also  happens 
to  improve  the  criminal’s  antifo¬ 
rensic  toolkit  in  lockstep. 

This  list  is  only  a  sample  of 
the  tools  used  for  antiforensics. 

Many  others  do  clever  things, 
like  block  reverse  engineering  of 
code  or  purposefully  leave  behind  misleading  evidence  to  send 
forensic  investigators  down  the  wrong  path,  wasting  their  time 
and  money.  Taken  at  its  most  broad,  antiforensics  even  extends 
to  physical  techniques,  like  degaussing  hard  drives  or  taking  a 
sledgehammer  to  one.  The  portfolio  of  techniques  available,  for 
free  or  for  a  low  cost,  is  overwhelming. 

An  antiforensic  pioneer  and  hacker  who  calls  himself  the 
Grugq  (sounds  like  “grug”)  says  he  once  presented  this  kind  of 
primer  on  antiforensics  to  the  police’s  largest  computer  foren¬ 
sics  unit  in  London.  “It  was  packed  with  all  these  mean-look¬ 
ing  coppers,”  he  recalls.  “And  here  I  am,  this  computer  security 
guy  saying,  ‘You’re  all  [screwed]  and  there’s  nothing  you  can  do 
about  it.’  When  I  finished,  it  was  quiet.  Only  one  person  raised 
his  hand.  Scary  geezer.  Six-two,  shaved  head.  Tattoos  all  over  his 
arms.  I  thought  he  might  thump  me. 

“But  he  stood  up  and  looked  like  he  was  about  to  cry.  All  he 
said  was,  ‘Why  are  you  doing  this?”’ 


Why  Is  He  Doing  This? 

AS  LONG  as  five  years  ago,  Grugq  was  creating  antiforensic 
tools.  Data  Mule  is  one  in  his  package  that  he  calls  the  Defiler’s 
Toolkit.  Likewise,  Liu  developed  Timestomp,  Slacker  and  other 
tools  for  the  Metasploit  Framework.  In  fact,  a  good  portion  of 
the  antiforensic  tools  in  circulation  come  from  noncriminal 
sources,  like  Grugq  and  Liu  and  plain  old  commercial  product 
vendors.  It’s  fair  to  ask  them,  as  the  overwhelmed  cop  in  London 
did,  why  develop  and  distribute  software  that’s  so  effective  for 
criminals? 

Grugq’s  answer:  “If  I  didn’t,  someone  else  would.  I  am  at 
least  pretty  clean  in  that  I  don’t  work  for  criminals,  and  I  don’t 

break  into  computers.  So  when 
I  create  something,  it  only  ben¬ 
efits  me  to  get  publicity.  I  release 
it,  and  that  should  encourage 
the  forensics  community  to  get 
better.  I  am  thinking,  Let’s  fix  it, 
because  I  know  that  other  peo¬ 
ple  will  work  this  out  who  aren’t 
as  nice  as  me.  Only,  it  doesn’t 
work  that  way.  The  forensics 
community  is  unresponsive  for 
whatever  reason.  As  far  as  that 
forensic  officer  [in  London]  was 
concerned,  my  talk  began  and 
ended  with  the  problem.” 

Liu  agrees  but  takes  it  fur¬ 
ther.  He  believes  developing 
antiforensics  is  nothing  less  than 
whistle-blowing.  “Is  it  responsi¬ 
ble  to  make  these  tools  available? 
That’s  a  valid  question,”  he  says.  “But  forensic  people  don’t  know 
how  good  or  bad  their  tools  are,  and  they’re  going  to  court  based 
on  evidence  gathered  with  those  tools.  You  should  test  the  valid¬ 
ity  of  the  tools  you’re  using  before  you  go  to  court.  That’s  what 
we’ve  done,  and  guess  what?  These  tools  can  be  fooled.  We’ve 
proven  that.” 

For  any  case  that  relies  on  digital  forensic  evidence,  Liu  says, 
“It  would  be  a  cakewalk  to  come  in  and  blow  the  case  up.  I  can 
take  any  machine  and  make  it  look  guilty,  or  not  guilty.  What¬ 
ever  I  want.” 

Liu’s  goal  is  no  less  than  to  upend  a  legal  precedent  called 
the  presumption  of  reliability.  In  a  paper  that  appeared  in  the 
Journal  of  Digital  Forensic  Practice,  Liu  and  coauthor  Eric  Van 
Buskirk  flout  the  U.S.  courts’  faith  in  digital  forensic  evidence. 
Liu  and  Van  Buskirk  cite  a  litany  of  cases  that  established,  as 
one  judge  put  it,  computer  records’  “prima  facie  aura  of  reli¬ 
ability.”  One  decision  even  said  computer  records  were  “uniquely 
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reliable  in  that  they  were  computer-generated  rather  than  the 
result  of  human  entries.”  Liu  and  Van  Buskirk  take  exception. 
The  “unfortunate  truth”  they  conclude,  is  that  the  presumption 
of  reliability  is  “unjustified”  and  the  justice  system  is  “not  suf¬ 
ficiently  skeptical  of  that  which  is  offered  up  as  proof.” 

It’s  nearly  a  declaration  that,  when  it  comes  to  digital  infor¬ 
mation,  there’s  no  such  thing  as  truth.  Legally  anyway.  As  Henry 
likes  to  put  it,  “Antiforensic  tools  have  rendered  file  systems  as 
no  longer  being  an  accurate  log  of  malicious  system  activity.” 

Computer  forensics  in  some  ways  is  storytelling.  After  cor¬ 
doning  off  the  crime  scene  by  imaging  the  hard  drive,  the  inves¬ 
tigator  strings  together  circumstantial  evidence  left  at  the  scene, 
and  shapes  it  into  a  convincing  story  about  who  likely  accessed 
and  modified  files  and  where  and  when  they  probably  did  it. 
Antiforensics,  Liu  argues,  unravels  that  narrative.  Evidence 
becomes  so  circumstantial,  so  difficult  to  have  confidence  in, 
that  it’s  useless.  “The  classic  problem  already  with  electronic 
crimes  has  been,  How  do  you  put  the  person  you  think  com¬ 
mitted  a  crime  behind  the  guilty  machine  they  used  to  com¬ 
mit  the  crime?”  says  Brian  Carrier,  another  forensic  researcher, 


abandon  investigations  and  write  off  their  losses. 

“Business  leaders  start  to  say,  ‘I  can’t  be  paying  $400  an  hour 
for  forensics  that  aren’t  going  to  get  me  anything  in  return,”’ 
says  Liu.  “The  attackers  know  this.  They  contaminate  the  scene 
so  badly  you’d  have  to  spend  unbelievable  money  to  unravel  it. 
They  make  giving  up  the  smartest  business  decision.” 

“You  get  to  a  point  of  diminishing  returns,”  says  Sartin.  “It 
takes  time  to  figure  it  out  and  apply  countermeasures.  And  time 
is  money.  At  this  point,  it’s  not  worth  spending  more  money  to 
understand  these  attacks  conclusively.” 

One  rule  hackers  used  to  go  by,  says  Grugq,  was  the  17-hour 
rule.  “Police  officers  [in  London’s  forensics  unit]  had  two  days 
to  examine  a  computer.  So  your  attack  didn’t  have  to  be  perfect. 
It  just  had  to  take  more  than  two  eight-hour  working  days  for 
someone  to  figure  out.  That  was  like  an  unwritten  rule.  They 
only  had  those  16  hours  to  work  on  it.  So  if  you  made  it  take 
17  hours  to  figure  out,  you  win.”  Since  then,  Grugq  says,  law 
enforcement  has  built  up  18-month  backlogs  on  systems  to 
investigate,  giving  them  even  less  time  per  machine. 

“Time  and  again  I’ve  seen  it,”  says  Liu.  “They  start  down  a 
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who  has  worked  for  the  Cerias  infosecurity  research  program 
at  Purdue  University.  Upending  the  presumption  of  reliability, 
he  says,  presents  a  more  basic  problem:  How  do  you  prove  that 
machine  is  really  guilty  in  the  first  place?  “I’m  surprised  it  hasn’t 
happened  yet,”  says  Liu.  “But  it  will.” 

Under  the  current  computing  infrastructure,  data  is  untrust¬ 
worthy,  then.  The  implications  of  this,  of  courts  limiting  or 
flat-out  denying  digital  forensics  as  reliable  evidence,  can’t  be 
understated.  Without  the  presumption  of  reliability,  prosecu¬ 
tion  becomes  a  more  severe  challenge  and  thus,  a  less  appealing 
option.  Criminals  reasonably  skilled  with  antiforensics  would 
operate  with  a  kind  of  de  facto  legal  immunity. 


-VINCENT  LIU,  PARTNER  AT  STACH  &  LIU 

rat  hole  with  an  investigation  and  find  themselves  saying,  ‘This 
makes  no  sense.  We’re  not  running  a  business  to  do  an  investiga¬ 
tion.’  I’ve  seen  it  at  Fortune  100s.  The  company  says,  ‘We  think 
we  know  what  they  got  and  where.  Let’s  close  it  up.’  Because 
they  know  that  for  every  forensic  technique  they  have,  there’s  an 
antiforensic  answer.  Unfortunately,  the  converse  isn’t  true.” 


Endgame 


Making  It  Not  Worth  It 


DESPITE  ALL  that,  casting  doubt  over  evidence  is  just  a  sec¬ 
ondary  benefit  of  antiforensics  for  criminals.  Usually  cases  will 
never  get  to  the  legal  phase  because  antiforensics  makes  inves¬ 
tigations  a  bad  business  decision.  This  is  the  primary  function 
of  antiforensics:  Make  investigations  an  exercise  in  throwing 
good  money  after  bad.  It  becomes  so  costly  and  time-consum¬ 
ing  to  figure  out  what  happened,  with  an  increasingly  limited 
chance  that  figuring  it  out  will  be  legally  useful,  that  companies 


BY  NOW,  it  should  be  clear  why  Henry  of  Secure  Computing 
has  been  giving  a  presentation  called  “Anti-Forensics:  Consider¬ 
ing  a  Career  in  Computer  Forensics?  Don’t  Quit  Your  Day  Job.” 
The  state  of  forensics  certainly  sounds  hopeless,  and  Henry 
himself  says,  “The  forensics  community,  there’s  not  a  hell  of  a 
lot  they  can  do.” 

But  in  fact  there’s  some  hope.  Carrier  says,  “Yes,  it  makes 
things  a  lot  harder,  but  I  don’t  think  it’s  the  end  of  the  world 
by  any  means.”  What  can  start  to  turn  the  tables  on  the  bad 
guys,  say  these  experts  and  others,  is  if  investigators  embrace  a 
necessary  shift  in  thinking.  They  must  end  the  cat-and-mouse 
game  of  hack-defend-hack-defend.  Defeating  antiforensics  with 
forensics  is  impossible.  Investigations,  instead,  must  downplay 
the  role  of  technology  and  broaden  their  focus  on  physical  inves- 
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tigation  processes  and  techniques:  intelligence,  human  inter¬ 
views  and  interrogations,  physical  investigations  of  suspects’ 
premises,  tapping  phones,  getting  friends  of  suspects  to  roll  over 
on  them,  planting  keyloggers  on  suspects’  computers.  There  are 
any  number  of  ways  to  infiltrate  the  criminal  world  and  gather 
evidence.  In  fact,  one  of  the  reasons  for  the  success  of  antiforen¬ 
sics  has  been  the  limited  and  unimaginative  approach  computer 
forensic  professionals  take  to  gathering  evidence.  They  rely  on 
the  technology,  on  the  hard  disk  image  and  the  data  dump.  But 
when  evidence  is  gathered  in  such  predictable,  automated  ways, 
it’s  easy  for  a  criminal  to  defeat  that. 

“I  go  back  to  my  background  as  a  homicide  detective,”  says 
the  investigator  in  the  aquarium  case.  “In  a  murder  investiga¬ 
tion,  there  is  no  second  place.  You  have  to  win.  So  you  come 
at  it  from  every  angle  possible.  You  think  of  every  way  to  get 
to  where  you  want  to  go.  Maybe  we  can’t  find  the  source  on 
the  network  with  a  scanning  tool.  So  you  hit  the  street.  Find 
a  boss.  His  boss.  His  boss.  You  find  the  guy  selling  data  on  the 
black  market.  The  guy  marketing  it  on  [Internet  Relay  Chat]. 
You  talk  to  them.  They’re  using  stego?  Maybe  we  drop  some 
stego  on  them.  The  techniques  used  in  physical  investigations 
are  becoming  increasingly  important.” 

Indeed,  if  one  looks  back  on  some  of  the  major  computer 
crimes  in  which  suspects  were  caught,  one  will  notice  that  rarely 

OS  ccessful 
forensics  case  I’ve 
worked  on  turned  into 
a  physical  security 
investigation ” 

-BILL  PENNINGTON,  A  RESEARCHER  AT 
WHITE  HAT  SECURITY 

was  it  the  digital  evidence  that  led  to  their  capture.  In  the  case 
of  Jeffrey  Goodin  of  California,  the  first  ever  under  the  Can- 
Spam  Act,  it  was  a  recorded  phone  call  with  a  friend  who  had 
flipped  on  the  suspect  that  led  to  the  conviction.  In  the  case  of 
the  Russian  botnet  operators  who  had  extorted  millions  from 
gaming  sites,  it  was  an  undercover  operation  in  which  a  “white 
hat”  hacker  befriended  the  criminals.  In  the  United  Kingdom, 
says  Grugq,  the  police  are  using  social  modeling  to  try  to  pene¬ 
trate  antiforensics  used  on  mobile  phones  for  drug  dealing.  “The 
police’s  goal  is  to  get  a  confession,”  he  says.  “They  don’t  care  if 
they  have  compelling  evidence  off  the  disk.”  In  the  TJX  case,  the 
only  arrests  made  to  date  are  based  on  purchases  of  exorbitant 
gift  cards  at  the  company’s  retail  stores,  caught  on  tape. 


It  will  be  the  interviews  with  those  people,  and  not  system 
analysis,  that  will  lead  to  more  information  and,  potentially, 
more  arrests  in  the  case. 

“Every  successful  forensics  case  I’ve  worked  on  turned 
into  a  physical  security  investigation,”  says  Bill  Pennington,  a 
researcher  at  White  Hat  Security  and  veteran  technical  foren¬ 
sics  investigator.  “In  one  case,  it  was  an  interview  with  someone 
who  turned  on  someone  else.  You  layer  the  evidence.  Build  it 
up.  He  sees  the  writing  on  the  wall,  and  he  cracks.  But  if  we 
had  to  rely  on  what  the  computer  evidence  told  us,  we  would 
have  been  stuck.” 

Moving  Targets 

BEHIND  THE  portfolio  of  easy-to-use  Windows-based  anti- 
forensic  tools,  criminal  hackers  are  building  up  a  next-genera¬ 
tion  arsenal  of  sophisticated  technical  tools  that  impress  even 
veterans  like  Grugq.  “There  are  now  direct  attacks  against 
forensic  tools,”  he  says.  “You  can  rootkit  the  analysis  tool  and 
tell  it  what  not  to  see,  and  then  store  all  your  evil  stuff  in  that 
area  you  told  the  analysis  tool  to  ignore.  It  is  not  trivial  to  do,  but 
finding  the  flaw  in  the  analysis  tool  to  exploit  is  trivial.” 

Another  new  technique  involves  scrambling  packets  to  avoid 
finding  data’s  point  of  origin.  The  old-school  way  of  avoiding 
detection  was  to  build  up  a  dozen  or  so  “hop  points”  around  the 
world— servers  you  bounced  your  traffic  off  of  that  confounded 
investigations  because  of  the  international  nature  of  the  traffic 
and  because  it  was  just  difficult  to  determine  where  the  traffic 
came  from,  really.  The  state-of-the-art  antiforensic  technique  is 
to  scramble  the  packets  of  data  themselves  instead  of  the  path. 
If  you  have  a  database  of  credit  card  information,  you  can  divvy 
it  up  and  send  each  set  of  packets  along  a  different  route  and 
then  reassemble  the  scatterlings  at  the  destination  point— sort 
of  like  a  stage  direction  in  a  play  for  all  the  actors  to  go  wherever 
as  long  as  they  end  up  on  their  mark. 

The  aquarium  attack,  two  years  later,  already  bears  tinges  of 
computer  crime  antiquity.  It  was  clever  but  today  is  hardly  state 
of  the  art.  Someday,  the  TJX  case  will  be  considered  ordinary, 
a  quaint  precursor  to  an  age  of  rampant  electronic  crime,  run 
by  well-organized  syndicates  and  driven  by  easy-to-use,  widely 
available  antiforensic  tools.  Grugq’s  hacking  mentor  once  said 
it’s  how  you  behave  once  you  have  root  access  that’s  interesting. 
In  a  sense,  that  goes  for  the  good  guys  too.  They’ve  got  root  now. 
How  are  they  going  to  behave?  What  are  they  going  to  do  with 
it?  “We’ve  got  smarter  good  guys  than  bad  guys  right  now,”  says 
Savid  Technologies’  Davis.  “But  I’m  not  sure  how  long  that  will 
be  the  case.  If  we  don’t  start  dealing  with  this,  we’re  not  even 
going  to  realize  when  we  get  hit.  If  we’re  this  quiet  community, 
not  wanting  to  talk  about  it,  we’re  going  to  get  slammed.”  ■ 


Send  feedback  to  Senior  Editor  Scott  Berinato  at  sberinatoli'cxo.com. 


30  www.csoonline.com  June  2007 


ADVERTISEMENT 


BALANCING  SECURITY  AGAINST  PRODUCTIVITY 


HOW  TO  DELIVER  EFFECTIVE  ENTERPRISE  SECURITY  MANAGEMENT 
WITH  THE  RIGHT  MIX  OF  TECHNOLOGY  AND  AUTOMATION 

Library],”  says  Whitehead.  ITI L  establishes  a  framework 
for  IT  plans,  models  and  processes  and  dictates  the 


Striking  a  balance  between  security  and  produc¬ 
tivity  weighs  heavily  on  every  CSO’s  mind. 

“Security  strategies  must  do  it  all:  understand  user 
privileges,  initiate  change  management  processes  and 
even  track  issues  or  problems,”  says  Richard  White- 
head,  director  of  product  marketing  for  Identity  and 
Security  and  Systems  and  Resource  Management  at 
Novell.  “This  requires  just  the  right  mix  of  technology, 
interacting  automatically  and  seamlessly  for  the  good 
of  the  business.” 

A  recent  IDG  Research  Services  survey  of  information 
security  professionals  supports  this,  with  nearly  one- 
half  of  respondents  rating  security/events  management 
and  identity/access  management  as  “extremely”  or 
“very”  effective  in  protecting  enterprise  networks. 

The  survey  offers  more  illuminating  insight  into  the 
effectiveness  of  enterprise  security  management: 

KEY  FINDING: 

Uptime  is  the  most  popular  metric. 

When  it  comes  to  metrics,  information  professionals 
most  often  point  to  quantifiable  statistics.  This  is  evi¬ 
denced  by  respondents  citing  uptime/reliability 
(83  percent),  passing  audits  (69  percent)  and  helpdesk 
incidents  (58  percent)  as  their  top  metrics.  Respon¬ 
dents  mention  intangible  metrics — like  compliance  and 
ROI  — less  frequently,  even  though  business  leaders 
consider  such  measurement  more  telling. 


This  requires  just  the  right  mix 
of  technology,  interacting 
automatically  and  seamlessly 
forthe  good  of  the  business. 


“The  trick  is  to  track  that  which  helps  your 
business  move  forward,”  says  Whitehead. 
“When  you  map  metrics  to  business 
processes,  security  implementations  more 
directly  support  your  strategic  goals  and 
provide  justification  for  funding.” 


KEY  FINDING: 

Automated  tools  aid  in  measuring  and  monitoring. 

Respondents  are  using  a  combination  of  methods  for 
monitoring  and  measuring  IT  effectiveness:  internal 
audit  teams  (69  percent),  manual  processes  (65  percent) 
and  automated  tools  (60  percent).  This  finding  suggests 
that  such  methods  bring  something  different  to  the 
table — internal  audit  teams  execute  commonsense 
tactics  against  unique  IT  environments;  while 
manual  processes  are  instrumental  in  discovery  and 
documentation. 

“However,  automation  is  proving  most  useful,  with 
forward-thinking  CIOs  turning  to  ITI L  [IT  Infrastructure 


roles  and  relationships  required  to  automate  processes. 

KEY  FINDING: 

Confidence  is  lacking  around  IT  controls. 

Despite  their  unwavering  focus  on  effectiveness, 
respondents  say  they  are  not  overly  confident  in  their 
security  controls.  Only  5  percent  are  “extremely” 
confident. 

“Some  risk  is  a  given,”  says  Whitehead.  “The  bigger 
issue  is  that  most  organizations  work  in  silos,  so  no  one 
has  complete  control  over  every  discipline.”  A  “very” 
confident  CSO  has  likely  taken  an  integrated  approach 
to  security,  automating  technologies  and  processes  in 
a  way  that  eliminates  silos,  thus  building  confidence  in 
controls. 

KEY  FINDING: 

Protecting  information  is  top  of  mind. 

Immediate  issues  are  keeping  CSOs  up  at  night;  protect¬ 
ing  information  (53  percent),  ensuring  compliance  (52 
percent)  and  ensuring  privacy  (HI  percent)  are  deemed 
“extremely”  important.  Fewer  respondents  rank  strate¬ 
gic  imperatives — such  as  improved  security  posture, 
lower  costs,  and  reduced  complexity — as  equally 
important. 

Only  13  percent  of  respondents  say  automated  process¬ 
es  are  “extremely”  important.  “Automation  garners  the 
most  visible  value  when  coupled  with  urgent  issues  like 
protecting  information  and  ensuring  compliance,”  says 
Whitehead.  Automation  also  contributes  to  solving  the 
bigger  issues  of  lowering  costs  and  reducing  complexity. 

“So  a  higher  prioritization  of  automation  can  significant¬ 
ly  impact  security  effectiveness,”  concludes  Whitehead. 

“CIOs  need  to  embrace  BPM  to  drive  as  much  efficiency 
internally  as  possible,”  says  Morrissey.  “Only  then  is  it 
time  to  turn  a  process  over  to  an  outsourcing  partner.” 

Want  to  sleep  with  more  confidence  than  some  of 
our  survey  respondents? 

Go  to  www.novell.com/itsecurity  now  to  obtain  a 
free  download  of  the  full  survey  results  with  commen¬ 
tary  from  industry  luminaries.  You’ll  find  the  insight 
you  need  to  master  the  balancing  act  that  is  security. 


Novell 
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Custom  Solutions  Group 


Roger  Johnston  knows  about  security  vulnerabilities,  and 
not  only  because  he  works  for  the  Los  Alamos  National 
Laboratory,  which  has  experienced  more  than  its  share 
of  security  problems  of  late  (including  the  loss  of  classi¬ 
fied  materials  last  autumn).  As  leader  of  the  laboratory’s  Vulnerability 
Assessment  Team,  a  research  group  devoted  to  improving  physical 


security,  Johnston  is  the  guy  who  gets 
brought  in  to  find  security  problems,  not 
only  at  his  own  agency  but  also  at  other 
agencies  and  at  private  companies.  His 
team  has  been  hired  to  conduct  vulner¬ 
ability  assessments  at  government  agen¬ 
cies  with  such  high  security  stakes  as  the 
International  Atomic  Energy  Agency,  the 
Department  of  State  and  the  Department 
of  Defense,  as  well  as  at  private  companies 
that  are  developing  or  considering  the  use 
of  high-tech  security  devices. 

Senior  Editor  Sarah  D.  Scalet  recently 
spoke  with  Johnston  about  strategies  for 


running  an  effective  vulnerability  assess¬ 
ment  and  then  communicating  the  results 
without  also  putting  your  job  on  the  line. 
(Note:  Johnston  emphasized  that  his 
statements  here  are  his  own  opinions  and 
do  not  necessarily  reflect  the  official  posi¬ 
tion  of  the  Los  Alamos  National  Labora¬ 
tory  or  the  U.S.  Department  of  Energy,  its 
parent  organization.) 

CSO:  You  basically  spend  your  days 
finding  problems  with  things.  Are 
people  afraid  to  cook  for  you? 

Roger  Johnston:  Yeah,  well,  we  always 


try  to  have  an  upbeat  message.  There  are 
often  very  simple  fixes  to  problems.  Say 
you’re  using  a  tamper-indicating  seal  for 
cargo  security.  When  you  inspect  the  seal, 
maybe  you  simply  spend  an  extra  second  or 
two  looking  for  a  little  scratch  in  the  upper 
right-hand  corner  to  discover  an  attack. 

So  training  is  a  key  to  that  upbeat 
message? 

Right.  We’re  very  strong  believers  in  show¬ 
ing  security  personnel  a  lot  of  vulnerability 
information.  Often,  low-level  security 
people  aren’t  given  the  information  they 
need  to  do  a  good  job.  If  they  know  what 
they’re  supposed  to  be  looking  for,  instead 
of  just  turned  loose  and  told  to  report 
“anomalous  incidents,”  they  generally  will 
do  a  lot  better.  You  really  haven’t  spent  a 
lot  of  extra  money,  and  it  doesn’t  necessar¬ 
ily  take  a  great  deal  of  time. 
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Los  Alamos 
National 
Laboratory’s 

Roger 

Johnston  talks 
about  how  aliens, 
Elvis  impersonators 
and  obstinate 
employees  can  help 
you  find  and  fix 
security  problems 

By  Sarah  D.  Scalet 


When  you’re  doing  a  vulnerability 
assessment,  what’s  the  best  way  to  get 
into  the  mind-set  of  the  adversary? 

That’s  the  real  trick.  The  problem  with 
a  lot  of  vulnerability  assessments  is  that 
they’re  done  by  very  sincere  security 
people  who  have  devoted  their  lives  and 
careers  to  being  good  guys.  They  really 
don’t  want  security  to  have  any  prob¬ 
lems.  It’s  not  a  matter  of  dishonesty;  it’s 
just  human  nature.  Also,  in  many  cases 
security  personnel  come  from  military  or 
police  backgrounds.  That  kind  of  train¬ 
ing  and  discipline  can  be  very  useful,  but 
those  backgrounds  don’t  typically  tend  to 


attract  people  who  are  wildly  creative. 

You  want  to  look  around  your  organiza¬ 
tion  and  find  people  who  are  outside-the- 
box  thinkers.  They  don’t  have  to  be  in  the 
field  of  security.  You’re  looking  for  people 
who  would  normally  be  your  worst  secu¬ 
rity  nightmare— people  who  are  loophole 
finders,  smart  alecks,  kind  of  skeptical. 
They’re  people  who  have  to  prove  things 
for  themselves  and  aren’t  sure  they  buy 
everything  they  hear  from  authority. 

So  you’re  looking  for  people  who’ve 
been  in  trouble  for  violating  some 
security  policy? 

I  don’t  want  to  push  it  too  far.  If  they’re 
wanted  in  35  states  for  felonies,  maybe 
that’s  not  exactly  who  you  want  looking  at 
your  critical  security  vulnerabilities.  It’s 
more  about  finding  the  people  who  won’t 
automatically  toe  the  party  line.  These 


are  people  in  your  organization  who  are 
already  thinking  about  how  they  could 
beat  your  security.  They’re  probably  not 
going  to  do  it,  but  that’s  just  the  way  they 
think.  They  may  be  graphic  artist  types; 
they  may  be  the  smart  aleck  on  the  loading 
dock  who’s  always  questioning  the  boss. 

There’s  more  of  that  ethos  in  the 
information  security  culture  than  in 
the  physical  security  culture. 

Absolutely.  There’s  a  huge  cultural  gap,  of 
course,  between  IT  security  and  physical 
security,  and  that’s  much  of  the  problem 
of  convergence,  trying  to  bring  the  two 
together.  I  think  IT  is  better  off  in  this 
regard.  A  lot  of  the  people  who  work  on 
computers  automatically  think  that  way. 

What’s  the  risk  of  thinking  like  a 
good  guy? 
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Vulnerability  Assessment 


When  vulnerability  assessments  are  done 
by  good  guys  thinking  like  good  guys, 
number  one,  they  let  the  existing  security 
infrastructure  and  hardware  and  strate¬ 
gies  define  the  vulnerability  issues.  For 
example,  if  there’s  a  fence,  they’ll  think 
about  ways  the  bad  guys  might  get  over 
the  fence.  But  of  course  that’s  all  back¬ 
ward.  We  need  to  think  about  what  the 
bad  guys  want  to  accomplish  and  then 
decide  if  we  even  need  a  fence.  Number 
two,  there’s  that  tendency  not  to  want  to 
try  to  find  problems. 

Not  only  are  they  possibly  making 
themselves  look  bad  if  they  find  a 
problem,  they’re  also  creating  more 
work  for  themselves,  right? 

Absolutely.  In  many  cases  when  the  fix 
is  very  simple,  organizations  are  very 
reluctant  to  do  it,  because  that  is  some¬ 
times  thought  of  as  saying,  “We’ve  been 
screwing  up  all  these  years.”  So  you  don’t 
want  to  go  with  people  who  have  a  history 
of  doing  a  vulnerability  assessment  and 
then  telling  you  everything  is  swell.  There 
are  always  vulnerabilities,  and  they  are 
always  present  in  very  large  numbers.  Any 
vulnerability  assessment  that  finds  zero 
vulnerabilities  is  completely  useless. 

When  you  actually  do  the  assessment, 
are  there  warm-ups  you  can  do  to  get 
yourself  in  the  mind-set  of  a  bad  guy? 

A  lot  of  vulnerability  assessment  needs  to 
be  very  similar  to  classic  brainstorming.  A 
lot  of  the  tools  that  are  applied  to  creative 
thinking  in  other  fields  can  be  applied 
directly  to  vulnerability  assessments. 

This  is  kind  of  a  radical  position.  A  lot  of 
people  in  the  security  business  are  not 
comfortable  with  this  1960s  hippy,  touchy- 
feely,  “let’s  all  get  together”  approach. 

I’m  imagining  a  bunch  of  beanbag 
chairs. 

Yeah.  A  lot  of  people  would  much  rather 
have  a  rigorous,  quantitative  approach, 
and  I  would  claim  that’s  largely  a  sham.  I 
don’t  think  it’s  a  mistake  to  use  analytical 
tools  like  a  security  survey,  but  we  would 
like  to  combine  those  more  closed-ended, 


straightforward  tools  with  creative  think¬ 
ing.  The  fact  is  that  creativity  has  been 
studied  extensively  over  the  last  50  years, 
and  there’s  a  lot  of  understanding  of  how 
you  create  an  environment  where  people 
come  up  with  good  ideas.  It’s  not  quite 
the  seat-of-the-pants,  wacky  kind  of  thing 
that  it  might  look  like  from  the  outside. 

Should  the  CSO  even  be  there? 

You  don’t  want  the  boss  in  the  room, 
because  it  constrains  people.  What  you 
need  are  really  nutty  ideas,  so  we  strongly 
encourage  thinking  about  attacks  that 
involve  Elvis  impersonators  and  flying 
monkeys  and  the  use  of  space  aliens.  Early 
on,  it’s  very  important  not  to  editorialize. 
Later  on,  we’re  going  to  prioritize  them 
and  think  about  the  practicality  of  them. 

In  many  cases,  we  have  people  say,  “Well, 
if  I  had  the  space  aliens  come  down  with 
a  ray  beam,  they  could  do  the  following.” 
Later  on,  it  turns  into  a  very  viable  attack, 
once  we  get  rid  of  the  space  aliens  and  the 
laser  beams. 

Does  this  take  hours?  Days?  Weeks? 

It  depends.  If  you’re  looking  at  a  very 
complex  security  program,  you  may  want 
to  spend  two  or  three  weeks  just  kind  of 
freewheeling.  But  you  don’t  just  sit  around 
and  do  ideas.  You  generate  nutty  ideas, 
and  then  you  go  back  to  the  program  or 
the  hardware  and  play  around  a  little  bit 
to  see  if  those  nutty  ideas  might  have  some 
merit.  Then  you  get  back  together  again, 
and  you  think  of  more  nutty  ideas  based 
on  what  you  learned.  We’re  very  much 
in  favor  of  hands-on  work,  and  not  just 
thinking  in  abstractions.  Toss  the  device 
around.  Chat  up  the  security  guards.  Kick 
the  fence.  Play  with  the  system  and  try  to 
understand  how  it  behaves. 

When  the  CSO  tells  his  or  her  company 
about  a  vulnerability,  we’ve  seen  that 
there  can  be  a  kind  of  “shoot  the  mes¬ 
senger”  effect.  [See  “Don’t  Shoot  the 
Messenger”  at  www.csoonline.com/ 
read/ 0801 06/col_  undercover.html.  ] 
What  are  ways  they  can  avoid  that  or  at 
least  mitigate  the  effect? 


We  try  to  encourage  people  to 
think  about  a  vulnerability  not 
as  bad  news.  It’s  great  news. 
When  you  find  a  vulnerability, 
you  can  do  something  about  it. 


But  you  still  have  to  take 
people  down  the  path  of, 
something  terrible  could 
happen. 

All  our  vulnerability  assess¬ 
ment  reports  start  out  by 
pointing  to  the  good  things. 

There  are  always  good  things. 

Sometimes  they’re  an  accident, 
but  by  pointing  them  out,  you 
get  them  recognized.  Also,  at 
the  very  beginning  we  always 
point  out  that  we’re  going  to 
find  more  vulnerabilities  than 
they  can  possibly  mitigate. 

We’re  going  to  make  more  sug¬ 
gestions  for  changes  than  you 
can  possibly  implement.  That’s 
OK.  The  bottom  line  is,  vulner¬ 
ability  assessors  are  not  here  to 
tell  you  what  changes  to  make. 

We’re  here  to  point  out  what 
we  think  are  problems  and 
what  we  think  may  be  solu¬ 
tions.  It’s  up  to  you  to  decide 
what  you  do  with  the  findings. 

This  binary  thinking  about  secu¬ 
rity— that  something  is  either  secure  or 
not  secure,  or  that  we  have  to  have  all  the 
vulnerabilities  covered  or  we’re  not  doing 
our  job— is  really  nonsense.  Security  is  a 
continuum,  and  there  are  always  going  to 
be  vulnerabilities  you  can’t  do  anything 
about.  That  doesn’t  mean  anybody  is 
screwing  up.  That’s  just  the  way  security 
works. 


In  coming  up  with  this  laundry  list  of 
problems  and  possible  solutions,  is 
there  an  80/20  thing  at  play,  where  you 
can  solve  80  percent  of  the  problems 
with  20  percent  of  the  solutions? 

It  does  work  that  way.  People  say,  “Gee, 
you’re  telling  me  I  need  to  make  this 
one  little  change,  and  this  attack  and 
this  attack  and  this  attack  and  this  other 
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of  about  35  to  40  percent,  so  McDonald’s 
does  a  better  job  than  security  of  finding 
the  right  people  and  hanging  on  to  them. 
There  are  plenty  of  organizations  that  do 
very  fine  with  turnover  rates  that  don’t 
pay  people  very  well  and  don’t  necessarily 
represent  fabulous  careers.  There  are  ways 
that  IO  psychologists  have  developed  over 
the  last  couple  decades  that  help  these 
companies,  but  the  tools  never  have  been 
applied  to  security.  The  first  thing  that 
our  guys  did  was  publish  some  papers 
basically  saying,  “Hey,  wake  up,  we  don’t 
need  to  do  any  new  R&D;  there  are  all 
these  tools  already  proven  out  there.”  They 
involve  things  like  understanding  who 
you  hire  and  creating  a  realistic  picture  in 
their  mind  of  what  the  job  is  like.  If  you 
simply  do  that,  turnover  rate  plummets. 

We’re  just  beginning  to  look  more 
specifically  at  how  IO  psychology  applies 
to  vulnerability  assessments.  It’s  a  totally 
open  field.  One  problem  we  want  to  look 
at  is  the  tamper-indicating  seals  that  are 
used  for  cargo  security.  We  know  from 
experience  that  some  people  are  really 
good  at  finding  seals  that  have  been 
tampered  with,  and  some  people  aren’t. 
But  we  don’t  know  why.  One  of  the  things 
we  want  to  do  is  study  the  people  who  are 
good  at  it  and  try  to  understand  what  it  is 
that  they’re  doing  or  what  characteristics 
they  have  that  make  them  good.  One  of 
the  studies  we  want  to  do,  and  we  haven’t 
found  anybody  to  fund  it,  is  an  eye-track¬ 
ing  study.  We  want  to  look  at  what  seal 
inspectors  are  looking  at.  You  give  them 
this  little  eyeglass  thing,  and  it  tells  what 
their  eyes  are  looking  at.  It’s  used  all  the 
time  to  judge  advertisements  for  TV; 
advertisers  stick  audiences  in  front  of 
the  proposed  commercial  to  see  if  they’re 
really  looking  at  the  product  or  they’re 
looking  at  the  pretty  girl  in  the  back¬ 
ground.  We  want  to  apply  this  technology 
to  understanding  what  the  people  who  are 
effective  at  finding  seals  that  have  been 
tampered  with  are  looking  at.  Maybe  we 
can  train  people  better,  or  maybe  we  can 
do  a  screening  exercise  to  find  the  people 
who  are  really  good  at  it,  for  whatever 
reason. 


attack  basically  go  away?”  It’s  really  quite 
surprising.  Sometimes  the  vulnerabilities 
are  extraordinarily  complex,  and  the  solu¬ 
tions,  while  they  may  not  be  100  percent 
perfect,  are  often  really  painless.  We  don’t 
always  have  the  most  realistic  view— we 
work  for  the  government— about  what’s 
economically  viable  to  implement.  Some¬ 
times  what  we  think  is  simple  isn’t  really 
simple  in  the  real  world.  But  that’s  OK  too. 
Sometimes  our  suggestions  get  the  end 
users  thinking,  and  then  maybe  they  come 
up  with  their  own  solution. 


You’ve  brought  a  couple  of  industrial- 
organizational  (IO)  psychologists  onto 
your  team.  Why? 

Industrial-organizational  psychology  has 
been  applied  across  a  wide  range  of  fields, 
but  for  some  weird  reason,  not  security. 


When  we  first  got  these  psychologists  to 
work  with  us,  they  just  couldn’t  believe 
that  no  one  had  applied  all  these  power¬ 
ful  tools  in  industrial  psychology  toward 
security  problems.  Increasingly,  we’re 
using  them  to  understand  the  human 
factors  associated  with  security.  In  the 
end,  security  is  really  about  how  people 
interact  with  technology,  how  people  use 
and  think  about  technology,  and  how  the 
technology  was  designed  to  enhance  what 
people  are  already  doing. 


What  kinds  of  things  have  the  industrial- 
organizational  psychologists  found? 

The  main  one  early  on  was  the  recognition 
that  the  security  guard  turnover  problem 
is  a  huge  problem.  The  numbers  typically 
run  between  40  percent  and  400  percent 
per  year.  McDonald’s  has  a  turnover  rate 
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Vulnerability  Assessment 


You  and  your  group  have  created  a 
Vulnerability  Disclosure  Index  that 
addresses  what  to  do  once  you  actually 
find  a  vulnerability. 

One  of  the  problems  with  finding  a 
vulnerability  is,  exactly  who  do  you  tell? 
We  have  found  vulnerabilities  that  were 
specific  to  the  sponsor  of  the  vulner¬ 
ability  assessment,  and  of  course  if  they 
pay  for  the  work,  they  get  the  findings. 
No  issue  there.  But  we’ll  find  things  that 
have  more  general  applicability.  Now  the 
question  is,  what  do  you  do?  A  classic 
example  is  spoofing  a  global  positioning 
system.  Everyone’s  focused  on  jamming 
GPS  devices,  but  that’s  not  an  interesting 
attack,  because  the  GPS  receiver  knows 


forward,  simple  signs  you’re  looking  for. 

If  there  are  a  whole  lot  of  good  guys  who 
don’t  seem  to  be  very  sophisticated  in 
understanding  the  vulnerabilities,  and 
there  are  only  a  small  number  of  bad  guys, 
you  probably  ought  to  just  publicize  it  to 
the  world.  If  the  attack  is  pretty  obvious— 
and  I  think  GPS  spoofing  is— the  bad  guys 
are  going  to  figure  it  out  anyway.  So  again, 
you  probably  ought  to  just  tell  the  whole 
world.  On  the  other  hand,  if  it’s  kind  of  a 
specialized  security  device  not  being  used 
by  very  many  people,  but  a  whole  bunch  of 
potential  bad  guys  might  want  to  exploit  it, 
then  maybe  you  don’t  need  to  be  publiciz¬ 
ing  that  vulnerability.  Instead,  you  want 
to  seek  out  the  specific  end  user  and  point 


“If  there  are  a  whole  lot  of  good 
guys  who  don’t  seem  to  be  very 
sophisticated  in  understanding  the 
vulnerabilities,  and  there  are  only 
a  small  number  of  bad  guys,  you 
probably  ought  to  just  publicize  it  to 

the  world  m "  -ROGER  JOHNSTON 


it’s  not  getting  satellite  signals  from  space. 
Spoofing,  however,  turns  out  to  be  surpris¬ 
ingly  easy.  You  can  feed  fake  coordinate 
information  to  a  GPS  receiver. 

How  could  the  bad  guys  use  that  to 
their  advantage? 

A  lot  of  national  networks,  like  for  financial 
transactions,  get  their  critical  time  synchro¬ 
nization  from  the  GPS  satellite  signals.  If 
someone  fed  the  GPS  fake  information,  the 
networks  could  crash  within  milliseconds. 

It  could  potentially  be  very  serious.  There’s 
some  recognition  that  jamming  might  be 
an  issue,  but  in  our  view  spoofing  is  the 
far  more  serious  issue  and  is  not  widely 
recognized.  Now,  do  we  discuss  this?  Do  we 
write  papers  about  this  problem?  Or  do  we 
just  keep  our  mouths  shut? 

This  kind  of  problem  crops  up  all  the 
time,  but  there  are  some  fairly  straight- 


out  the  potential  problem.  The  Vulner¬ 
ability  Disclosure  Index  is  a  sort  of  semi- 
quantitative  attempt  to  try  to  provide 
some  guidance  as  to  whether  you  should 
disclose  this  vulnerability,  how  publicly, 
and  in  how  much  detail  you  should  go. 

Vulnerability  disclosure  has  been 
especially  contentious  in  the  field  of  IT 
security.  [See  “The  Chilling  Effect”  at 
voww.  csoonline.com/read/ 01 01 07/fea_ 
vidn.html.  \  Does  your  index  apply  to 
IT  vulnerabilities? 

It’s  really  meant  for  physical  security.  IT 
lives  in  a  very  different  world.  Let’s  say 
you’re  playing  around  on  your  home  com¬ 
puter,  and  you  find  a  very  serious  software 
vulnerability.  There’s  some  controversy, 
but  most  people  agree  you  should  do  the 
following:  You  should  contact  the  software 
company  and  say,  “I  think  there’s  a  prob¬ 


lem  here.”  You  give  them  a  chance  to  fix 
that.  If  after  a  while  they’re  just  stonewall¬ 
ing  and  not  doing  anything,  then  maybe 
you  go  public.  Once  they  fix  the  problem, 
it’s  no  big  deal.  Everybody  who  bought  the 
product  typically  does  checks  on  whether 
there  are  upgrades. 

Physical  security  is  not  like  that.  In 
many  cases  the  physical  security  systems 
are  from  a  bunch  of  different  vendors  and 
may  be  put  together  by  a  third-party  ven¬ 
dor.  Often  there’s  no  one  company  to  go  to 
to  complain  about  a  potential  vulnerability. 
Moreover,  the  fix  isn’t  just  some  software 
download.  The  fix  may  require  service- 
people  going  out  and  changing  parts,  and 
it  could  be  very  expensive,  very  disruptive. 
Before  you  get  everybody  all  wound  up 
about  a  physical  security  vulnerability,  you 
may  want  to  think  about,  is  it  even  going 
to  be  practical  to  fix  it? 

You’ve  written  that  when  the  vulnerabil¬ 
ity  assessment  is  chartered,  the  spon¬ 
sor  owns  the  findings,  but  that  doesn’t 
necessarily  “relieve  the  vulnerability 
assessors  of  their  responsibility  to  warn 
others  of  a  clear  and  present  danger.” 
This  might  strike  fear  into  the  hearts  of 
CSOs  who  think  they’re  going  to  hire 
someone  to  do  a  vulnerability  assess¬ 
ment  and  the  contract  will  ensure  that 
the  findings  remain  private. 

A  typical  example  would  be  if  a  company  is 
considering  a  commercial  security  device. 
Let’s  say  we  do  a  vulnerability  assessment 
on  that  device  and  oh  my  gosh,  if  you  poke 
it  with  a  paperclip  it  will  quit  working. 

And  we  know  that  commercial  device  is 
being  used  for  a  wide  variety  of  applica¬ 
tions,  including  corporate  security,  U.S. 
national  security  and  nuclear  safeguards. 
We  believe  we  have  some  moral  responsi¬ 
bility  to  tell  people  there  might  be  a  prob¬ 
lem.  Most  companies  we’ve  done  that  for 
have  had  no  problems,  and  in  some  cases 
encourage  us  to  do  exactly  that.  ■ 


Senior  Editor  Sarah  D.  Scalet  can  be  reached  at 
sscalet@cxo.com.  If  you  would  like  to  see  a  copy  of 
a  paper  Roger  Johnston  wrote  about  vulnerability 
disclosure,  contact  him  at  rogerj@lanl.gov. 
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1  .  September  10-11, 2007  The  Fairmont  Hotel  |  Chicago,  II 


Limited  Attendance.  Register  Early! 


Uncover  the  best  practices  that  security  leaders  use  to  achieve 


A  CULTURE  OF  SECURITY  !  U 


Attend  the  Collaborative  Business  Summit 


Co-Executive  Producers 


John  Gallant, 
President  &  Editorial 
Director  Network  World 


Register  Now! 

Attendance  is  limited  to  qualified  security 
and  business  executives.* 


for  Security  Executives 

The  Security  Standard  is  the  only  conference  that  drills  down  into  the  dynamic 
relationship  between  security  and  business-and  shows  you  how  to  make  it  work. 
Our  engaging,  two-day  agenda  explores  the  key  challenges  facing  senior  security 
pros,  discovered  from  scores  of  CSO  interviews  conducted  nationwide. 

Collaborate  on  solutions  with  your  peers  on  how  to: 

•  Gain  buy-in  and  budget  approval  from  senior  management  and  the  board 

•  Require  employees  to  comply  with  new  security  policies 

•  Establish  a  culture  of  security  acceptable  to  all  employees 

•  Comply  with  regulations  without  disrupting  the  organization 

•  Increase  awareness  of  security  with  the  “MySpace"  generation 


RSVP  today  at 

www.thesecuritystandard.net/lCSOA07 

or  call  800-643-4668. 

*  Attendance  is  limited  to  qualified  senior  business  and  technology 
professionals  involved  in  security  and  risk  management  strategies 


Engage  with  other  security  executives  and  industry  experts. 

Come  participate  in  sessions  with  leaders  from  Akamai,  The  451  Group, 
Bechtel  Corporation,  BITS  Financial  Services,  Sidley  Austin  LLP, 

Boston  College,  Fortinet,  Juniper  Networks,  ChoicePoint  Roundtable, 
Dartmouth  and  many  others.  To  see  the  full  agenda  and  latest  speakers, 

go  to  www.thesecuritystandard.net 


and/or  purchasing  decisions  within  medium  and  large  enterprises. 
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At  many  companies,  small 
security  staffs  mean  other 
departments— commonly 
human  resources  or 
legal— necessarily  help 
conduct  investigations. 

John  Thompson’s  Corporate 
Investigations  for  Nonsecurity 
Professionals,  published  by  the 
CSO  Executive  Council  ( which 
is  affiliated  with  CSOj,  aims 
to  ensure  that  information 
is  collected  in  a  reliable  and 
legally  responsible  manner. 
The  following  is  an  abridged 
excerpt  on  the  planning  phase 
of  an  investigation. 


A  primer 


nonsecurity 

personnel 

conduct 

effective 

investigations 


By  John  Thompson 

The  objective  of  an  investigation  is 
to  get  the  facts  so  that  a  resolution 
of  the  complaint  and  situation  can 
be  achieved.  At  the  same  time,  it  is 
possible  that  some  day  a  jury  or  attorneys 
outside  the  organization  might  scrutinize 
every  aspect  of  any  investigation  conducted. 
For  example,  the  organization  might  have 
to  turn  over  to  outside  attorneys  every  note 
the  investigator  has  written  about  the  inves¬ 
tigation,  and  the  investigator  might  have 
to  recount  every  conversation  he  or  she 
had  involving  the  investigation.  Moreover, 
someone’s  job  or  well-being  might  depend 
upon  the  quality  of  the  investigation.  Thus, 
an  investigation  is  not  something  that 
should  be  done  haphazardly  or  without  a 
clear  plan  in  mind.  Many  investigators  have 
declared  their  embarrassment  to  me  when 
I  have  reviewed  their  investigation  file  two 
years  after  the  investigation  in  prepara¬ 
tion  for  a  deposition  or  trial  testimony.  The 
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investigator’s  memory  naturally  is  poor 
about  the  investigation  because  it  is  years 
later  and  numerous  investigations  have 
come  and  gone  in  the  interim. 

Worse,  the  investigator’s  notes  often 
are  cryptic,  undated  and  virtually  useless. 
What  seemed  like  a  perfectly  reasonable 
investigation  plan  at  the  time  is  impossible 
to  decipher  later.  Because  every  part  of  an 
investigation  might  later  be  subject  to  scru¬ 
tiny,  every  part  of  the  investigation  should 
be  documented,  including  the  up-front 
planning  process.  The  following  consider¬ 
ations  should  help  the  investigator  plan  an 
investigation.  This,  in  turn,  should  lead  to 
more  accurate  and  complete  information 
obtained  and  greater  legal  protection  for 
the  organization. 

Minimize  witness  intimidation.  As 

the  investigator  begins  thinking  about 
how  to  conduct  the  investigation,  he  or  she 
must  confront  the  possibility  that  certain 
witnesses  to  the  investigation  might  feel 
intimidated  by  the  alleged  wrongdoer,  even 
by  the  simple  fact  that  the  alleged  wrong¬ 
doer  is  in  the  workplace.  Even  worse,  the 
alleged  wrongdoer  (and  even  the  complain¬ 
ant)  might  intimidate,  harass,  or  retaliate 
against  witnesses  in  an  attempt  to  influ¬ 
ence  the  outcome  of  the  investigation.  It 
might  be  necessary  to  remove  the  alleged 
wrongdoer,  the  complainant  or  both  indi¬ 
viduals  in  order  to  maximize  the  informa¬ 
tion  obtainable  from  other  witnesses.  On 
the  other  hand,  removing  an  employee 
from  the  workplace  during  an  investiga¬ 
tion  is  a  serious  human  resources  matter.  If 
the  investigator  believes  that  removing  an 
employee  from  the  workplace  is  necessary 
to  remove  possible  intimidation,  he  or  she 
should  consider  consulting  with  the  need- 
to-know  group  to  obtain  a  consensus  on 
such  an  action. 

Form  investigative  team  and  divide 
duties.  Interviews  often  will  constitute  a 
major  part  of  the  investigation,  and  it  could 
be  a  serious  mistake  to  conduct  significant 
interviews  one-on-one.  If  the  investigation 
is  legally  challenged,  the  plaintiff  inevitably 
will  contest  the  accuracy  of  the  interviewer’s 


recollection  of  the  interview.  If  the  organi¬ 
zation  has  two  witnesses  to  interview  who 
have  similar  recollections,  it  will  be  more 
difficult  for  the  plaintiff  to  attack  the  cred¬ 
ibility  of  the  investigation.  Moreover,  it  is 
extremely  difficult  to  ask  intelligent  ques¬ 
tions,  listen  closely  to  the  answers,  formu¬ 
late  follow-up  questions  and  take  accurate 
notes  all  at  the  same  time.  A  solution  would 
be  to  have  two  interviewers,  where  one 
interviewer  is  responsible  for  the  question¬ 
ing  and  the  other  interviewer  is  responsible 
for  note-taking.  The  note-taker  also  can  ask 
follow-up  questions  that  the  primary  ques¬ 
tioner  might  miss.  This  division  of  responsi¬ 
bility  should  remain  consistent  throughout 
the  interview  process.  Two  interviewers 
will  give  you  two  different  perspectives  on 
the  situation.  Many  difficult  investigations 
require  tough  credibility  judgments  and  it 
would  be  valuable  to  know,  for  example,  that 
two  interviewers  have  different  perspectives 
on  the  credibility  of  a  key  witness. 

Establish  the  time  frame  for  the 
investigation.  Many  times,  the  organi¬ 
zation  can  avoid  liability  for  wrongs  com¬ 
mitted  by  its  employees,  even  supervisory 
employees,  if  management  takes  quick  and 
appropriate  action  to  remedy  the  situa¬ 
tion.  Thus,  it  is  always  desirable  to  conduct 
the  investigation  promptly  after  becoming 
aware  of  the  issue.  Impress  upon  others  the 
need  to  investigate  and  resolve  the  issue 
quickly  and  obtain  the  cooperation  nec¬ 
essary  to  have  interviewees  available.  Of 
course,  if  the  investigation  becomes  more 
complicated  than  anticipated  or  unantici¬ 
pated  delays  occur,  extend  the  deadline  if 
necessary  to  do  a  complete  investigation. 

Confirmatory  memorandum.  The 

investigator  must  determine  whether  to  pro¬ 
vide  the  complainant  with  a  confirmatory 
memorandum.  This  frequently  is  desirable 
when  the  complainant  raises  a  verbal  com¬ 
plaint.  The  memorandum  serves  a  variety  of 
purposes.  Most  importantly,  it  provides  the 
complainant  with  a  clear  understanding  of 
the  expectations  that  the  organization  has 
for  him  or  her  during  the  investigation.  A 
letter  to  the  complainant  should  include  the 


following  items:  1.  A  statement  confirming 
the  issues  that  the  complainant  has  raised. 
2.  A  list  of  all  facts  provided  by  the  com¬ 
plainant.  3.  A  request  that  the  complainant 
add,  delete  or  correct  the  facts  summarized 
and  a  confidential  means  to  provide  this 
information.  4.  A  statement  identifying  the 
investigate r(s)  and  confirming  that  the  com¬ 
plainant  has  agreed  the  investigator(s)  will 
be  fair  and  objective.  If  the  identity  of  the 
investigator(s)  was  not  previously  known  to 
the  complainant,  the  letter  should  include 
a  statement  that  the  complainant  finds  the 
investigator(s)  to  be  fair  and  objective  unless 
the  complainant  indicates  otherwise.  5.  The 
anticipated  time  frame  of  the  investigation 
and  the  method  and  timing  of  feedback 
from  the  investigator(s).  6.  A  statement  that 
the  complainant’s  cooperation  and  partici¬ 
pation  in  the  investigation  is  required.  7-  A 
statement  that  the  complainant  should  not 
discuss  this  matter  further— other  than  with 
the  investigator(s)— while  the  investigation 
is  being  conducted,  particularly  within  the 
organization.  8.  A  statement  of  the  conse¬ 
quences  of  the  complainant’s  failure  to  fol¬ 
low  these  instructions.  The  consequences 
will  depend  upon  whether  the  complainant 
is  an  employee  or  third  party,  of  course. 

Obtain  relevant  documents,  in  many 
investigations,  there  is  a  paper  trail  that 
provides  important  information  for  the 
investigation.  The  documents  the  investi¬ 
gator  reviews  will  answer  many  questions, 
raise  many  other  important  questions  that 
the  investigator  wall  want  to  ask,  identify 
individuals  that  the  investigator  wall  want 
to  interview,  and  so  on.  Documents  that 
the  investigator  should  consider  obtaining 
include:  personnel  files,  telephone  records, 
expense  account  records,  computerized 
personnel  information,  appointment  cal¬ 
endars,  time  cards,  building  entrance/exit 
records,  computer/word  processing  disks 
and  hard  drive,  e-mail  records  and  voice 
mail  records. 

Special  investigative  techniques. 

With  respect  to  many  investigations,  gath¬ 
ering  relevant  documents  and  interviewing 
relevant  individuals  will  be  the  extent  of 
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the  investigation  conducted.  Sequentially, 
the  investigator  should  review  the  relevant 
documents  obtained  from  the  organization 
and  then  plan  for  the  interview  process. 
Therefore,  the  remainder  of  this  section 
discusses  planning  for  the  interview  pro¬ 
cess.  However,  there  are  certain  times  when 
special  investigative  techniques  beyond 
mere  interviews  are  appropriate.  These  are 
almost  always  investigative  techniques  that 
have  a  high  legal  risk  and  never  should  be 
discussed  or  implemented  without  legal 
counsel.  In  fact,  many  of  these  techniques 
should  require  high-level  approval  before 
they  may  be  utilized,  including  the  follow¬ 
ing:  internal  audit,  physical  investigation 
(fingerprint,  handwriting,  voice  analysis), 
physical  surveillance,  polygraphs,  searches 
of  organization  or  private  property,  and 
electronic  monitoring  or  surveillance. 

Prepare  opening  and  closing  com¬ 
ments.  For  each  interview,  the  investigator 
will  want  to  have  a  set  of  opening  comments 
and  instructions.  Similarly,  the  investigator 
wall  want  to  have  a  set  of  closing  comments 
and  instructions.  This  is  the  part  of  the 
interview  that  is  “canned”  and  not  really 
dependent  upon  what  any  particular  indi¬ 
vidual  says.  Therefore,  there  is  no  excuse  for 
being  unprepared  or  “missing”  a  particular 
point.  For  example,  I  once  had  a  witness 
claim  that  she  was  being  retaliated  against 
after  an  interview.  When  asked  why  she  did 
not  immediately  report  this,  her  answer  was 
that  she  did  not  know  that  she  should  and 
did  not  know  to  whom  to  report  it.  If  true, 
the  investigator  was  at  fault  for  not  provid¬ 
ing  this  information  to  her  as  part  of  the 
“canned”  opening  and  closing  comments. 

Prepare  a  set  of  written  questions. 

This  has  several  advantages.  First,  it  wall 
require  the  investigator  to  think  carefully  in 
advance  about  what  information  is  needed, 
how  best  to  elicit  information  from  each 
individual  and  how  to  protect  the  confi¬ 
dentiality  of  parties.  Second,  it  wall  permit 
the  investigator  to  organize  the  interview 
and  develop  a  logical  sequence  for  ques¬ 
tions.  Third,  it  enables  the  investigator  to 
ask  precisely  the  same  questions  of  multiple 


individuals  and  ensures  that  the  investiga¬ 
tor  will  not  forget  to  ask  certain  questions. 
The  investigator  must  be  careful,  however, 
not  to  be  so  tied  to  an  outline  that  he  or  she 
fails  to  ask  necessary  follow-up  questions, 
or  explore  something  identified  by  a  witness 
that  was  not  in  the  outline. 

Multiple  interviews.  It  is  a  rare  inves¬ 
tigation  that  resolves  all  questions  after 
interviewing  witnesses  only  once.  First, 
the  investigator  wall  frequently  learn  new 
information  later  in  the  investigation  pro¬ 
cess  that  he  or  she  will  need  to  discuss  with 
previously  interviewed  individuals.  Second, 
multiple  interviews  are  an  excellent  way  to 
assess  credibility.  Challenging  an  individual 
with  contrary  information,  asking  the  same 
question  in  a  slightly  different  way  or  asking 
about  information  learned  since  your  first 
interview  of  the  individual  can  give  a  better 
assessment  of  the  credibility  of  that  indi¬ 
vidual.  Occasionally,  the  investigator  might 
want  to  involve  different  interviewers  to 
conduct  a  second  round  of  interviews.  This 
is  appropriate  if  the  first  set  of  interviewers 
might  have  missed  or  been  unable  to  obtain 
some  critical  information,  or  if  it  provides 


a  valuable  new  perspective  on  the  situation 
or  if  they  possess  different  investigative 
skills,  and  so  on.  This  approach  also  has 
drawbacks,  such  as  creating  more  potential 
organization  witnesses  in  any  subsequent 
litigation.  Do  not  adopt  this  approach  with¬ 
out  consulting  with  legal  counsel.  There 
may  be  situations  that  call  for  simultane¬ 
ous  interviews  of  individuals,  ensuring  that 
the  individuals  do  not  have  the  opportunity 
to  contact  each  other  prior  to  the  interview. 
This  situation  can  be  addressed  either  by 
having  the  first  interviewee  remain  in  a 
room  with  a  witness  until  the  second  inter¬ 
view  starts,  or  by  having  simultaneous 
interviews  by  qualified  investigators. 

Written  statements.  Written  state¬ 
ments  minimize  the  opportunity  for 
interviewees  to  dispute  the  investigator’s 
recollection  of  the  interview  or  change 
their  story.  Statements  also  are  a  highly 
persuasive  form  of  evidence.  Many  plaintiff 
lawyers  have  backed  off  when  shown  state¬ 
ments  of  several  individuals  refuting  their 
client’s  story.  Consult  with  legal  counsel 
about  this  decision. 

Taking  notes.  If  the  investigation  is  later 
challenged  legally,  the  organization  will  be 
asked  to  defend  the  fairness  and  quality  of 
the  investigative  process.  The  plaintiff  will 
argue  that  the  organization  came  to  the 
wrong  result  because  the  investigator  did 
a  poor  investigation.  The  investigation  will 
be  more  legally  defensible  if  the  organiza¬ 
tion  can  demonstrate  that  the  investigator 
planned  the  investigation  process,  that  the 
investigator  considered  each  of  the  issues 
discussed  in  this  section  and  that  the  inves¬ 
tigator  had  rational  reasons  for  following 
or  not  following  the  suggestions  contained 
in  this  section.  As  always,  contemporane¬ 
ous  notes  about  how  the  investigation  was 
planned  will  be  more  accurate  and  credible 
to  a  jury  or  judge  than  oral  testimony  at  a 
later  point.  ■ 


Please  send  feedback  to  feedback@csoonline.com.  Other 
critical  planning  considerations  covered  in  the  chapter 
include  Determining  Whom  to  Interview,  Interview  Loca¬ 
tion  and  Interview  Order. 
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out  of  the  boat.  I  had  no  business  being  on  dangerous 
rivers  without  the  necessary  skills,  but  the  allure  was 
great  and  off  I  went.  Luckily  I  compensated  with  a  far 
less  elegant  and  more  dangerous  approach,  the  wet 
exit,  where  the  point  is  to  get  out  of  the  kayak  and  get 
your  head  above  water  where  you  can  breathe  and  see 
the  rocks  you’re  about  to  be  washed  into.  Soon  after, 
though,  I  adapted  and  learned  to  roll  the  kayak.  I 
practiced  the  skill  in  calm  waters  until  I  could  execute 
it  flawlessly  in  high-pressure,  fast-moving  situations. 

Of  course,  it’s  better  to  not  capsize  in  the  first  place, 
and  that’s  where  going  with  the  flow  comes  in.  In  a 
fast-flowing  river,  a  kayaker  is  at  the  mercy  of  the  cur¬ 
rent  unless  he  knows  how  much  to  float  along  and  how 
much  to  fight.  If  you  just  float,  expect  to  go  wherever 
the  river  flows,  often  into  rocks  and  over  waterfalls.  If 
you  paddle  too  much,  you’ll  wear  yourself  out  before 
you  reach  your  destination. 

Likewise,  when  faced  with  career  survival,  one 

must  go  with  the  flow  on  a 
great  many  things,  includ¬ 
ing  management  strategies, 
philosophies  and  styles. 
Some  managers  will  del¬ 
egate  everything  and  pro¬ 
vide  no  direction;  others 
will  micromanage.  Some 
managers  are  focused 
purely  on  cost  and  don’t 
want  to  spend  a  dime;  oth¬ 
ers  are  insistent  on  meet¬ 
ing  deadlines  at  any  cost. 
These  are  cases  where  it 
might  not  matter  so  much 
to  do  things  your  way.  You 
just  have  to  go  with  it. 

But  there  are  other  times, 
of  course,  when  you  need  to 
take  control  of  your  destiny. 
Personally,  there  are  some 
issues  that  I  couldn’t  and 
wouldn’t  adapt  to,  such  as  differences  around  ethics  or 
legalities.  Those  are  the  times  to  paddle— and  hard. 
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How  I’ve  managed  to  keep  the  same  job  for 
more  than  a  decade  By  Anonymous 


VERY  FEW  CSOs  last  more  than  a  few  years  at  any  given  place. 

The  turnover  rate  for  security  chiefs  is  pretty  consistent  with  that 
of  CIOs  and  some  other  C-level  executives.  Every  three  or  four 
years,  it  seems,  it’s  out  with  the  old  and  in  with  the  new.  There 
are  a  few  reasons  for  this  lack  of  longevity,  not  the  least  of  which 
is  a  lack  of  political  savvy.  Find  yourself  on  the  wrong  side  of  a  power  struggle 
and  you  could  end  up  pushed  aside  if  not  outright  ousted. 

Senior  executives  often  surround  themselves  with  people  they  handpick, 
and  that’s  great  when  you’re  the  one  riding  the  coattails.  But  what  happens 
when  your  benefactor  falls  out  of  favor  with  the  CEO  or  board  of  directors? 
Odds  are  that  you’ll  be  asked  to  seek 
opportunities  elsewhere,  too,  if  you 
haven’t  cultivated  good  relations  with 
other  key  executives. 

Likewise,  if  you’re  aligned  too  closely 
with  the  wrong  person  or  group,  guilt 
by  association  can  stymie  your  career 
even  if  you  aren’t  forced  out  altogether. 

Constituents  in  your  organization  may 
begin  to  give  you  the  cold  shoulder,  and 
getting  things  accomplished  in  such  an 
environment  can  be  excruciatingly  dif¬ 
ficult  if  not  almost  impossible. 

Now  I  don’t  pretend  to  know  all  the 
answers  for  keeping  a  CSO  job  forever. 

But  I  will  confess  to  having  been  CSO 
of  the  same  company  for  more  than  a 
decade— through  a  new  boss  every  year 
or  so  and  more  mergers  and  acquisi¬ 
tions  than  I’d  care  to  count.  Sure,  I 
think  I’m  good  at  my  job,  have  hired 
well  and  produce  consistent  results; 
that  goes  a  long  way  to  not  having  to  clean  out  one’s  office.  But  there  are  also 
some  basic  CSO  survival  skills  that  have  helped  me  keep  my  job. 


Survival  Strategy  1:  Learn  to  Adapt 

ONE  THING  I’ve  realized  is  that  there  are  times  when  going  with  the  flow 
is  the  only  sensible  choice.  It’s  a  lot  like  being  in  a  kayak.  Forget  which  way 
the  current  flows  and  you’ll  find  yourself  upside  down  in  an  instant,  which  is 
way  over  on  the  terrifying  side  of  thrilling. 

I  have  to  admit  that  as  a  fledgling  kayaker  years  ago,  I  foolishly  ventured 
out  onto  some  stretches  of  white  water  before  I  perfected  my  Eskimo  roll— 
that  is,  the  ability  to  right  yourself  from  being  underwater  without  getting 


Survival  Strategy  2: 

Play  to  Stay  in  the  Game 

JUST  BECAUSE  I’ve  been  at  this  job  more  than 
a  decade  doesn’t  mean  there  haven’t  been  perilous 
moments.  I  can  think  of  several  points  in  my  career 
when  it  looked  like  the  deck  was  hopelessly  stacked 
against  me.  There  was  one  time  when  a  member  of 
the  new  executive  inner  circle  took  a  dislike  to  me 
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and  actively  tried  to  torpedo  me  and  my 
career.  During  another  period,  I  worked 
directly  for  what  can  only  be  termed  an 
equine  posterior.  In  each  of  those  cases, 
strong  resistance  on  my  part  would  have 
been  terminal.  I  had  to  hold  my  ground 
to  some  extent  just  out  of  principle,  but 
I  had  to  give  more  than  resist.  After  all,  if 
you  fail  to  stay  in  the  game,  you  can’t  pos¬ 
sibly  win. 

I  liken  this  approach  to  judo,  where  you 


There  are  times 
when  the  politically 
savvy  will  shelve 
ideas  and  shift 
agendas  rather 
than  burn  up 
political  capital  on 
no-win  situations. 
Later,  when  the 
time  is  right,  you 
can  move  on  your 
original  agenda. 

use  your  opponent’s  momentum  against 
her.  You  move  to  the  side  a  bit,  get  out  of 
the  line  of  attack  and  give  a  little  shove  to 
your  assailant.  You  don’t  act  as  an  aggres¬ 
sor,  but  you  don’t  just  stand  still  and  take 
a  beating  either.  It’s  more  about  throwing 
your  opponent  off  balance.  It’s  a  passive 
sort  of  resistance. 

I  seem  to  have  an  innate  tendency 
toward  fight  rather  than  flight,  but  I’ve 
learned  over  the  years  that  the  most 
important  consideration  is  that  you  live  to 
fight  another  day.  Retreat  is  not  necessar¬ 
ily  a  cowardly  approach.  Very  often  it’s  the 
smartest  thing  you  can  do. 

Although  most  careers  shouldn’t  feel 
like  a  war,  they  invariably  come  with  a 
few  battles,  and  it’s  the  way  we  respond 
that  often  defines  how  long  we  survive.  It 
may  feel  good  to  shout,  “Damn  the  torpe¬ 


does,  full  speed  ahead!”  but  torpedoes  sink 
careers  as  well  as  ships. 

One  mistake  I’ve  made  and  seen  others 
make  is  sticking  to  a  failed  agenda.  Some¬ 
times  ideas  are  ahead  of  their  time,  and 
people  just  aren’t  ready  to  accept  them. 
Other  times  an  organizational  culture 
just  won’t  accommodate  certain  changes. 
These  are  times  when  the  politically  savvy 
will  shelve  ideas  and  shift  agendas  rather 
than  burn  up  political  capital  on  no-win 
situations.  Later,  when  the  time  is  right, 
you  can  move  on  your  original  agenda. 

This  happened  to  me  a  few  years  back 
on  a  project  involving  PKI  (public-key 
infrastructure)  and  digital  certificates. 
Rather  than  fight  a  losing  battle,  I  just 
changed  my  plans  and  shelved  the  project 
for  a  couple  years. 

By  the  way,  I  outlasted  both  of  those 
people  who  were  out  to  get  me.  Eventu¬ 
ally,  other  people  in  the  organization  real¬ 
ized  they  just  weren’t  doing  a  good  job.  At 
the  time,  I  felt  very  alone,  but  since  then, 
people  have  said,  oh  yeah,  she  was  evil  and 
that  guy  was  no  good.  Sometimes,  if  you 
just  stay  in  the  game  long  enough,  your 
opponents  will  go  away. 

Survival  Strategy  3: 

Keep  Your  Friends  Close 

ANOTHER  KEY  to  protecting  your 
career  is  building  relationships  through¬ 
out  the  organization.  Allies  are  always 
useful  when  problems  unfold,  but  they  can 
also  tell  you  when  others  are  beginning  to 
plot  against  you  or  your  agenda.  If  you 
know  that  a  situation  is  brewing  you  have 
a  better  chance  of  avoiding  it  altogether. 

This  is  how  I  knew  to  shelve  the  PKI 
project  a  few  years  back.  Based  on  the 
intelligence  I  was  getting  from  my  allies, 
it  just  became  clear  that  the  project  wasn’t 
going  to  fly.  People  were  digging  in  their 
heels  to  stop  it  from  happening. 

Other  times,  you  can  take  hold  of  the 
situation  and  get  others  to  see  things  your 
way.  But  to  do  this,  you  need  to  know  what 
they’re  saying  in  the  hallways  and  man¬ 
age  the  spin.  If  they’re  saying  an  idea  is 
bad  because  of  some  specific  reasons  that 
you  don’t  believe  are  valid,  you  have  to  be 


able  to  counter  that. 

Say  there’s  a  network  topology  issue 
you’re  dealing  with.  Maybe  your  security 
people  say  that  if  you  go  with  this  certain 
form  of  network  topology,  you  can  serve 
the  business  better.  Meanwhile,  the  net¬ 
work  engineers  have  a  different  approach 
they  want  to  take.  Tech  people  can  be  very 
bigoted  toward  certain  architectural  plat¬ 
forms.  You  have  to  fight  for  what  you  think 
is  right,  and  part  of  that  is  managing  what 
other  people  are  saying  about  it.  You  may 
be  able  to  persuade  others  to  your  position, 
but  it’s  a  lot  easier  to  do  so  if  you  get  to  the 
right  people  and  influence  them  early,  to 
help  shape  their  ideas. 

In  addition  to  forming  friendly  rela¬ 
tions  with  people,  building  credibility  is 
paramount.  At  some  point  in  business 
relationships,  people  are  going  to  expect 
you  to  get  the  job  done.  If  you  establish 
a  pattern  of  successfully  solving  prob¬ 
lems  and  delivering  on  promises,  sensible 
businesspeople  will  recognize  your  value. 
When  people  recognize  that  you  can  make 
them  money  or  help  protect  them  from 
losing  it,  they’ll  appreciate  you.  Further¬ 
more,  given  a  finite  number  of  people  in 
an  organization,  the  more  allies  you  have, 
the  fewer  adversaries  you  can  have. 

Being  valuable  is  even  better  than  being 
liked.  Put  the  two  together,  and  allies  will 
flock  to  your  defense.  Still,  if  someone  just 
seems  dead  set  against  you  for  whatever 
reason,  you  should  work  hard  at  changing 
that  dynamic.  If  you  can’t  win  them  over, 
at  least  keep  tabs  on  them.  As  the  saying 
goes,  keep  your  friends  close  and  your 
enemies  closer. 

Political  savvy,  of  course,  is  a  core  com¬ 
petency  for  anyone  in  an  executive  role. 
Focus  exclusively  on  the  technical  aspects 
of  the  job  and  you’re  likely  to  be  caught 
off  guard  by  political  changes.  At  worst, 
the  climate  can  become  so  inhospitable 
that  you  find  yourself  frozen  right  out  of  a 
job.  But  if  the  climate  starts  to  grow  chilly 
and  you’re  intent  on  staying  put,  you  must 
learn  to  survive.  ■ 


This  column  is  written  anonymously  by  a  real  CSO.  Send 
your  comments  via  e-mail  to  csoundercover@cxo.com. 
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EADING  EVENT  FOR  SECURITY  PROFESSIONALS  WORL 


Year  after  year,  only  one  event  leads  the  security 
industry  by  delivering  the  solutions  that  matter. 
For  2007,  the  most  comprehensive  education  and 
networking  event — and  the  world's  largest  show 
dedicated  to  security— will  command  the  attention 
of  security  professionals  worldwide  by  offering 
four  days  of  24/7  solutions. 


For  starters,  ASIS  2007  features  a  custom  crafted 
educational  program  that  is  second  to  none.  It's  an 
exciting  curriculum  of  more  than  150  top-quality 
sessions  focusing  on  every  aspect  of  security,  from 
the  hottest  issues  and  trends  to  core  management 
topics  and  best  practices.  Delivered  by  today's 
newsmakers  and  seasoned  experts  with  real-world, 
'in  the  trenches'  experience,  this  is  an  education 
you  won't  find  anywhere  else. 


I AL  THOUGHT  LEADERS 
TE  THIS  YEAR'S  LINEUP: 


To  uncover  today's  top  security  solutions,  visit 
www.asisonline.org/asis2007  or  call  703-519-62 


DR.  HENRY 
KISSINGER 


MICHAEL 
G.  OXLEY 


CHRISTOPHER 

GARDNER 


ASIS  INTERNATIONAL 
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The  CSO  Executive  Seminar  Series  on 


IDENTITY 


Register  today  at  www.csoonline.com/conferences . 

The  CSO  Executive  Seminar  on  Identity  Management  will  tackle  this  issue  by 
examining  the  demands  placed  upon  organizations,  and  how  those  demands 
can  be  addressed  with  enterprise  identity  management  solutions.  With  the 
help  of  leading  experts  and  practitioners  we’ll  examine  the  benefits  and 
challenges,  review  an  implementation  case  study,  and  explore  the  business 
case  for  adopting  these  solutions. 

WHO  SHOULD  ATTEND 

CSOs,  CPOs,  CISOs,  Security  &  Privacy 
Protection  Managers,  Legal  Counsels  and 
others  who  are  charged  with  protecting 
documents  and  files  containing  identification 
information. 

Government  and  non-profit  officials  who 
prepare  their  organizations  for  security 
issues. 

BENEFITS  OF  ATTENDING 

A  360  degree  view  of  identity  management 
including: 

•  Key  identity  management  implementations 

•  Building  a  business  case  for  identity  management 

•  Navigating  the  roadblocks  to  success 

Visit  www.csoonline.com/conferences  to  view  the 
entire  agenda. 


SAN  FRANCISCO,  CALIFORNIA 
Thursday,  June  14, 2007 

7:00am-3:30pm  -- 
Ritz  Carlton  Hotel 

NEW  YORK,  NEW  YORK 
Wednesday,  June  20, 2007 

7:00am-3:30pm 
Grand  Hyatt  New  York 

Space  is  limited.  Register  today  at: 
www.csoonline.com/conferences 
or  for  more  information  call 
800.366.0246 
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Fun  With  USPTO.GOV 


Invent! 


What  do  you  do  when  you  get  a  great  security  idea?  Patent  it! 
After  all,  if  these  three  can  be  patented,  so  can  yours. 


The  Person-Identifying 
Flashlight  1977 


The  Fear  Monitor 

1998 


The  Cell  Phone  Gun 

2004 


Inventor’s  Description:  It  is  generally 
well-known  that  in  this  time  of  high  crime, 
persons  must  take  greater  precautions  for 
their  own  safety  than  in  former  years  long 
ago,  so  to  not  become  victims  of  robbery, 
rape  or  murder.  One  such  precaution  is  to 
not  open  a  door  of  a  home  if  someone  is 
outside  whose  identity  is  unknown.  There 
is,  accordingly,  a  need  for  indicating  who 
may  be  outside  the  door,  if  a  person  is 
unable  to  see  who  it  is.  Therefore,  it  is  a 
principal  object  of  the  present  invention 
to  provide  an  instant  saviour  device  that 
includes  a  portable  flashlight  that  is  addi¬ 
tionally  equipped  with  a  unit  having  a  pic¬ 
ture  screen  upon  which  there  will  appear  a 
figure  for  more  specifically  identifying  who 
may  be  behind  an  outside  door. 

SOURCE:  ALL  PATENT  INFORMATION  PUBLICLY  AVAILABLE  AT  USPTO.GOV 


Inventor’s  Description:  A  system  for  pro¬ 
viding  an  alarm  when  a  person  suddenly 
experiences  fear,  comprising  monitoring 
means  for  coupling  to  a  person  for  moni¬ 
toring  at  least  one  physiological  condition 
of  the  person  to  provide  physiological  data 
signal(s)  that  are  indicative  of  the  status  of 
the  monitored  physiological  condition(s).... 
The  monitored  physiological  data  sig¬ 
nals  are  indicative  of  the  status  of  the 
monitored  physiological  conditions  of  the 
person  to  whom  the  probes  are  attached. 
The  monitored  physiological  data  signals 
are  also  recorded  by  the  physiological- 
conditions  recorder.  The  computer  system 
includes  a  neural  network  for  modifying 
the  stored  stress  profile  data. 


Inventor’s  Description:  The  present 
invention  relates  to  an  electronic  device 
with  concealed  firearm  system  and  more 
particularly  pertains  to  providing  personal 
protection  when  in  an  adverse  circum¬ 
stance  to  a  user  through  the  use  of  a 
firearm  concealed  in  a  device  which  does 
not  look  like  a  firearm. ..the  antenna  having 
a  tubular  wall  with  a  rigid  central  bore  and 
electrically  conductive  antenna  elements 
within  the  tubular  wall,  and  with  the  bore 
adapted  to  function  as  the  barrel  of  a 
firearm;  audio  electronics  located  within 
the  cavity  coupled  with  respect  to  the  ear 
piece,  the  mouth  piece,  conductive  ele¬ 
ments,  and  the  keys  of  the  pad  for  allow¬ 
ing  the  system  to  function  as  a  cellular 
telephone;  a  chamber  for  receiving  a  single 
bullet  formed  of  a  shell  and  a  slug  adjacent 
to  the  interior  end  of  the  bore. 
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ILLUSTRATIONS  COURTESY  OF  USPTO.GOV 


>/eriSig] 


introducing 

THE  BEST 

advancement  in 


INTERNET 

SECURITY 

in  ten  years 


With  new  VeriSign  Extended  Validation  SSL  Certificates 
and  today’s  high-security  browsers,  the  address  bar  turns 
green,  giving  your  customers  immediate  assurance  that 
your  Web  site  is  secure.  The  browser  also  displays  your 
company  name  and  the  issuing  Certificate  Authority, 
making  it  more  important  than  ever  to  choose  VeriSign— 
the  most  trusted  symbol  of  security  on  the  Web. 


Download  a  free  white  paper  on  Extended  Validation  SSL  at 
www.verisign.com/dm/evwp  or  call  1-866-893-6565. 


=  2007  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  checkmark  circle,  and  other 
trademarks,  service  marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign,  Inc., 
and  its  subsidiaries  in  the  United  States  and  in  foreign  countries. 
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Why  can  she  see  everyone's  salary,  but  can't 
confirm  her  vendor's  payment? 

Keep  information  secure  with  Identity  and  Access  Management  (1AM)  solutions  from  CA.  Hold  on.  Employees  with 
access  to  information  they  should  never  see?  And  no  access  to  the  information  they  need  to  do  their  job?  When  you  re 
adding  employees  and  changing  their  responsibilities,  it's  bound  to  happen.  Unless  you  have  Identity  and  Access 
Management  solutions  from  CA.  Our  industry-leading  1AM  gives  you  enterprise-wide  security  and  control. 

It's  what's  made  CA  the  IDC  worldwide  market  leader  in  1AM  six  years  running,  since  1999.*  How'd  we  do  that?  Well,  we're 
looking  at  IT  from  a  whole  new  perspective.  It's  unified  and  simplified,  it's  security  without  question.  And  it  s  all  at  ca.com/iam. 


IDC,  Worldwide  Hardware  Authentication  and  Identity  and  Access  Management 
2005  Vendor  Shares,  Doc  #203296,  Sep  2006. 

Copyright  ©  2007  CA.  All  rights  reserved. 
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